Fortinet white logo
Fortinet white logo

Administration Guide

Configuring custom signatures

Configuring custom signatures

IPS signatures are the basis of signature-based intrusion prevention. Every attack can be reduced to a particular string of commands or a sequence of commands and variables. See Intrusion prevention for more information.

An IPS signature identifies characteristics of a packet that are unique to an attack, such as the protocol type, an option/value pair within the payload, other special aspects of the payload, or specific application options. Custom IPS signatures can be created to block, monitor, or quarantine specific traffic that is not covered by the IPS definitions list. To view the IPS definitions list:

  • Go to Security Profiles > IPS Signatures.

  • Go to Security Profiles > Intrusion Prevention, edit an existing IPS sensor, and click View IPS Signatures in the right-hand pane.

  • Go to System > FortiGuard, in the License Information table expand Intrusion Prevention, and in the IPS Definitions row click Actions > View List.

/**
* Make a new directory, or clear and prepare an existing directory.
*
* CAUTION
If the directory happens to be set to the current directory, where
* this script lives, then it can wipe out the script code.
*/
function MakeDir($directory)
{
//If the directory exists, make sure it is empty
if (is_dir($directory)) {
rrmdir($directory);
}
mkdir($directory) or die(print_r(error_get_last(),true));

return $directory . "/";
}

An application signature identifies characteristics of a packet that is unique to an application. Custom application signatures can be used in application control profiles to block traffic from specific applications that are not covered by the application control signatures list. To view the application control signatures list:

  • Go to Security Profiles > Application Signatures and select the Signature view.

  • Go to Security Profiles > Application Control, edit an existing application sensor, and click View Application Signatures in the right-hand pane.

  • Go to System > FortiGuard, in the License Information table expand Firmware & General Updates , and in the Application Control Signatures row click Actions > View List.

Application groups can be created by selecting individual application, or by filtering by application category. The groups can then be used in firewall policies.

For information about the syntax for building IPS and application control signatures, see the Custom IPS and Application Control Signature Syntax Guide.

To make the application signatures settings visible in the GUI:
  1. Go to System > Feature Visibility

  2. In the Security Features section, enable Application Control.

  3. Click Apply.

To configure custom signatures:
  1. Custom application and IPS signatures can be configured:

    • To configure custom application signatures, go to Security Profiles > Application Signatures and click Create New > Custom Application Signature. See Blocking applications with custom signatures for an example.

    • To configure custom IPS signatures, go to Security Profiles > IPS Signatures and click Create New.

  2. Configure the following settings:

    Name

    Enter a unique name for the signature.

    Comments

    Enter a comment (optional).

    Signature

    Enter the signature.

  3. Click OK.

To configure application groups:
  1. Go to Security Profiles > Application Signatures and click Create New > Application Group.

  2. Configure the following settings:

    Group Name

    Enter a unique name for the signature group.

    Type

    Set the application group type, either application ID or application filter.

    See Filters for application control groups for information about the available filters.

    Members

    Select the applications or filter to include in the group.

    Comments

    Enter a comment (optional).

  3. Click OK.

    See Application groups in traffic shaping policies for more information.

Configuring custom signatures

Configuring custom signatures

IPS signatures are the basis of signature-based intrusion prevention. Every attack can be reduced to a particular string of commands or a sequence of commands and variables. See Intrusion prevention for more information.

An IPS signature identifies characteristics of a packet that are unique to an attack, such as the protocol type, an option/value pair within the payload, other special aspects of the payload, or specific application options. Custom IPS signatures can be created to block, monitor, or quarantine specific traffic that is not covered by the IPS definitions list. To view the IPS definitions list:

  • Go to Security Profiles > IPS Signatures.

  • Go to Security Profiles > Intrusion Prevention, edit an existing IPS sensor, and click View IPS Signatures in the right-hand pane.

  • Go to System > FortiGuard, in the License Information table expand Intrusion Prevention, and in the IPS Definitions row click Actions > View List.

/**
* Make a new directory, or clear and prepare an existing directory.
*
* CAUTION
If the directory happens to be set to the current directory, where
* this script lives, then it can wipe out the script code.
*/
function MakeDir($directory)
{
//If the directory exists, make sure it is empty
if (is_dir($directory)) {
rrmdir($directory);
}
mkdir($directory) or die(print_r(error_get_last(),true));

return $directory . "/";
}

An application signature identifies characteristics of a packet that is unique to an application. Custom application signatures can be used in application control profiles to block traffic from specific applications that are not covered by the application control signatures list. To view the application control signatures list:

  • Go to Security Profiles > Application Signatures and select the Signature view.

  • Go to Security Profiles > Application Control, edit an existing application sensor, and click View Application Signatures in the right-hand pane.

  • Go to System > FortiGuard, in the License Information table expand Firmware & General Updates , and in the Application Control Signatures row click Actions > View List.

Application groups can be created by selecting individual application, or by filtering by application category. The groups can then be used in firewall policies.

For information about the syntax for building IPS and application control signatures, see the Custom IPS and Application Control Signature Syntax Guide.

To make the application signatures settings visible in the GUI:
  1. Go to System > Feature Visibility

  2. In the Security Features section, enable Application Control.

  3. Click Apply.

To configure custom signatures:
  1. Custom application and IPS signatures can be configured:

    • To configure custom application signatures, go to Security Profiles > Application Signatures and click Create New > Custom Application Signature. See Blocking applications with custom signatures for an example.

    • To configure custom IPS signatures, go to Security Profiles > IPS Signatures and click Create New.

  2. Configure the following settings:

    Name

    Enter a unique name for the signature.

    Comments

    Enter a comment (optional).

    Signature

    Enter the signature.

  3. Click OK.

To configure application groups:
  1. Go to Security Profiles > Application Signatures and click Create New > Application Group.

  2. Configure the following settings:

    Group Name

    Enter a unique name for the signature group.

    Type

    Set the application group type, either application ID or application filter.

    See Filters for application control groups for information about the available filters.

    Members

    Select the applications or filter to include in the group.

    Comments

    Enter a comment (optional).

  3. Click OK.

    See Application groups in traffic shaping policies for more information.