Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 3.6.0 Custom IPS and Application Control Signature Syntax Guide
3.6.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0

byte_jump, byte_test

byte_jump, byte_test

Use the byte_jump keyword to move the reference point. The distance to be skipped is calculated from the value of bytes at a specified offset.

Use the byte_test keyword to compare the value of bytes at the specified offset with a given value. The keyword does not move the reference point.

If the data to be processed or skipped is beyond the end of the packet, the option is considered unmatched.

Syntax:
--byte_jump <*|bytes>,<offset>[,<multiplier>[,<modifiers>]];
--byte_test <*bytes>,<op>,<value>,<offset>[,<multiplier>[,<modifiers>]];

<field>

Description

*|bytes

Specifies the number of bytes from the payload to be converted. The value to be converted can be an ASCII string or binary.

If the value is in binary, select between 1,2, or 4 bytes to be converted.

If the value is an ASCII string, use the string modifier. For a fixed length ASCII field, specify the field's length. If it is a variable length ASCII field, use *, which will convert all bytes from the offset until the first nondigit character in the chosen base has been detected.

op

Defines the operator used to compare the value converted from the packet with the value specified. The following operators are accepted:

>

The value converted must be greater than the value specified.

<

The value converted must be less than the value specified.

=

The value converted must be equal to the value specified.

!

The value converted must be not equal to the value specified.

&

The value converted AND the value specified must be not equal to zero.

~

The value converted AND the value specified must be equal to zero.

^

The value converted XOR the value specified must be not equal to zero.

value

This is only used to match content in the URI field of an HTTP request.

Specifies the value to be compared. A hexadecimal number can be specified with the prefix 0x.

This also accepts variables and arithmetic operations (+ * /).

The following predefined variable is accepted:

$PKT_SIZE: the data will be compared with the packet size

offset

Specifies the starting point where the content should be converted in the payload. Negative offsets are accepted. See the relative modifier for more details.

multiplier

Optional. It must be a numerical value when present. The converted value multiplied by this number is the result to be compared or skipped.

modifiers

Accepts a combination (separated by commas) of the following values:

relative

Indicates that the offset should start from the last match point. Without it, the offset starts from the beginning of the packet.

big

Indicates that the data to be converted is in big endian (default).

little

Indicates that the data to be converted is in little endian.

string

Indicates that the data to be converted is a string.

hex

Indicates that the data to be converted is in hexadecimal.

dec

Indicates that the data to be converted is in decimal.

oct

Indicates that the data to be converted is in octal.

align

Rounds the number of converted bytes up to the next 32bit boundary, only used with byte_jump.
Examples:
--byte_jump 4,0,relative;
--byte_test 4,>,3536,0,relative;
--byte_jump 4,20,relative,align;
--byte_jump 4,0,4,relative,little;
--byte_test 4,>,0x7FFF,4,relative;
--byte_ttest 4,>,$PKT_SIZE,4,relative;
--byte_test 4,>,$PKT_SIZE,4,2,relative;
Previous
Next

byte_jump, byte_test

Use the byte_jump keyword to move the reference point. The distance to be skipped is calculated from the value of bytes at a specified offset.

Use the byte_test keyword to compare the value of bytes at the specified offset with a given value. The keyword does not move the reference point.

If the data to be processed or skipped is beyond the end of the packet, the option is considered unmatched.

Syntax:
--byte_jump &lt;*|bytes&gt;,&lt;offset&gt;[,&lt;multiplier&gt;[,&lt;modifiers&gt;]];
--byte_test &lt;*bytes&gt;,&lt;op&gt;,&lt;value&gt;,&lt;offset&gt;[,&lt;multiplier&gt;[,&lt;modifiers&gt;]];

<field>

Description

*|bytes

Specifies the number of bytes from the payload to be converted. The value to be converted can be an ASCII string or binary.

If the value is in binary, select between 1,2, or 4 bytes to be converted.

If the value is an ASCII string, use the string modifier. For a fixed length ASCII field, specify the field's length. If it is a variable length ASCII field, use *, which will convert all bytes from the offset until the first nondigit character in the chosen base has been detected.

op

Defines the operator used to compare the value converted from the packet with the value specified. The following operators are accepted:

>

The value converted must be greater than the value specified.

<

The value converted must be less than the value specified.

=

The value converted must be equal to the value specified.

!

The value converted must be not equal to the value specified.

&

The value converted AND the value specified must be not equal to zero.

~

The value converted AND the value specified must be equal to zero.

^

The value converted XOR the value specified must be not equal to zero.

value

This is only used to match content in the URI field of an HTTP request.

Specifies the value to be compared. A hexadecimal number can be specified with the prefix 0x.

This also accepts variables and arithmetic operations (+ * /).

The following predefined variable is accepted:

$PKT_SIZE: the data will be compared with the packet size

offset

Specifies the starting point where the content should be converted in the payload. Negative offsets are accepted. See the relative modifier for more details.

multiplier

Optional. It must be a numerical value when present. The converted value multiplied by this number is the result to be compared or skipped.

modifiers

Accepts a combination (separated by commas) of the following values:

relative

Indicates that the offset should start from the last match point. Without it, the offset starts from the beginning of the packet.

big

Indicates that the data to be converted is in big endian (default).

little

Indicates that the data to be converted is in little endian.

string

Indicates that the data to be converted is a string.

hex

Indicates that the data to be converted is in hexadecimal.

dec

Indicates that the data to be converted is in decimal.

oct

Indicates that the data to be converted is in octal.

align

Rounds the number of converted bytes up to the next 32bit boundary, only used with byte_jump.
Examples:
--byte_jump 4,0,relative;
--byte_test 4,>,3536,0,relative;
--byte_jump 4,20,relative,align;
--byte_jump 4,0,4,relative,little;
--byte_test 4,>,0x7FFF,4,relative;
--byte_ttest 4,>,$PKT_SIZE,4,relative;
--byte_test 4,>,$PKT_SIZE,4,2,relative;
Previous
Next