Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 3.6.0 Custom IPS and Application Control Signature Syntax Guide

Typical signature definition errors

3.6.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0
Copy Link
Copy Doc ID f21167b4-200c-11e9-b6f6-f8bc1258b856:165358
Download PDF

Typical signature definition errors

  • Searching for an encoded pattern in a URI.

    Multiple encoding methods can be used in a URI. In order to have better coverage, you should try to match the decoded pattern whenever possible.

    For example, use --pattern “/../../”; --context uri; rather than --pattern “/..%c0%af../”; --context uri;.

  • Using special characters that are not escaped in PCRE.

    This can cause issues with detection. Since some characters have special meanings, they should be escaped by a backslash "\", or be expressed in hexadecimal format, like using \x2e for ".".

  • Using the port number instead of --service.

    The IPS engine identifies common services. Use these service types instead of their port number to define signatures. See Supported service types on page 8 for the available service types.

  • Using byte_test or byte_jump to perform relative matching after a previous URI match.

    Since the HTTP decoder has three buffers for URIs, relative matching can cause performance issues.

  • Not specifying the best context value, or not including any context.

    Using patterns to match the uri, header, banner, host, or body sectors of HTTP, IMAP, SMTP, POP3 or SSH traffic without using the --context keyword, reduces efficiency and increases the possibility of false positives.

Previous
Next

Typical signature definition errors

  • Searching for an encoded pattern in a URI.

    Multiple encoding methods can be used in a URI. In order to have better coverage, you should try to match the decoded pattern whenever possible.

    For example, use --pattern “/../../”; --context uri; rather than --pattern “/..%c0%af../”; --context uri;.

  • Using special characters that are not escaped in PCRE.

    This can cause issues with detection. Since some characters have special meanings, they should be escaped by a backslash "\", or be expressed in hexadecimal format, like using \x2e for ".".

  • Using the port number instead of --service.

    The IPS engine identifies common services. Use these service types instead of their port number to define signatures. See Supported service types on page 8 for the available service types.

  • Using byte_test or byte_jump to perform relative matching after a previous URI match.

    Since the HTTP decoder has three buffers for URIs, relative matching can cause performance issues.

  • Not specifying the best context value, or not including any context.

    Using patterns to match the uri, header, banner, host, or body sectors of HTTP, IMAP, SMTP, POP3 or SSH traffic without using the --context keyword, reduces efficiency and increases the possibility of false positives.

Previous
Next