Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 3.6.0 Custom IPS and Application Control Signature Syntax Guide

rate, track

3.6.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0
Copy Link
Copy Doc ID f21167b4-200c-11e9-b6f6-f8bc1258b856:54846
Download PDF

rate, track

These two keywords make it possible to tell the IPS engine that instead of triggering a signature every time it is matched, it should only trigger if the signature is matched a given number of times within a specified time period. This feature can be used in reporting slow port scans, brute-force login attempts, and similar behavior.

For a regular signature, the IPS engine first compares all of the keyword options other than rate and track. If all the options are matched, IPS checks whether rate is specified for the signature. If it is not, IPS triggers the signature. If it is, IPS increases the counter and updates the timestamp, and checks whether the trigger rate has been reached.

Syntax:
--rate <count>,<duration>[,<limit>];

field

Description

<count>

The number of matches that must be seen before a log entry is generated.

<duration>

The time period over which matches are counted, in seconds.

[limit]

This improves the accuracy of the matched packet count by counting in strict time rather than averaging over a period of time.

For example, --rate 400,1,limit;

 
--track <keyword>;

<keyword> specifies the packet property to track. The following case insensitive keywords are accepted:

<keyword>

Description

src_ip

Track the packet's source IP address.

dst_ip

Track the packet's destination IP address.

dhcp_client

Track the DHCP client's MAC address.

dns_domain

Track the domain name in the DNS query record.

dns_domain_and_ip

Track the DNS response with same domain name and IP address.
Notes
  • If --track is specified, only matched packets which have the same specified keyword tracked are added to the counter.
  • If --rate is used without --track, all matched packets are added to the counter and the signature is reported once the threshold is reached.
  • IPS counts the average number of packets over a period of time. This might allow some extra packets to go through. Therefore, to ensure accuracy, the limit keyword was added to allow counting to be done in a strict time. When limit is enabled the packet count is more accurate.
Example:
F-SBID( --name DHCP.FLOOD; --protocol UDP; --service DHCP; --dhcp_type 1; --rate 100,10; --track DHCP_CLIENT; )

This signature indicates that if IPS sees DHCP discover requests (--dhcp_type 1;) more than 100 times within 10 seconds (--rate 100,10;) from the same DHCP client (--track dhcp_client;), then an alert is generated.

Previous
Next

rate, track

These two keywords make it possible to tell the IPS engine that instead of triggering a signature every time it is matched, it should only trigger if the signature is matched a given number of times within a specified time period. This feature can be used in reporting slow port scans, brute-force login attempts, and similar behavior.

For a regular signature, the IPS engine first compares all of the keyword options other than rate and track. If all the options are matched, IPS checks whether rate is specified for the signature. If it is not, IPS triggers the signature. If it is, IPS increases the counter and updates the timestamp, and checks whether the trigger rate has been reached.

Syntax:
--rate <count>,<duration>[,<limit>];

field

Description

<count>

The number of matches that must be seen before a log entry is generated.

<duration>

The time period over which matches are counted, in seconds.

[limit]

This improves the accuracy of the matched packet count by counting in strict time rather than averaging over a period of time.

For example, --rate 400,1,limit;

 
--track <keyword>;

<keyword> specifies the packet property to track. The following case insensitive keywords are accepted:

<keyword>

Description

src_ip

Track the packet's source IP address.

dst_ip

Track the packet's destination IP address.

dhcp_client

Track the DHCP client's MAC address.

dns_domain

Track the domain name in the DNS query record.

dns_domain_and_ip

Track the DNS response with same domain name and IP address.
Notes
  • If --track is specified, only matched packets which have the same specified keyword tracked are added to the counter.
  • If --rate is used without --track, all matched packets are added to the counter and the signature is reported once the threshold is reached.
  • IPS counts the average number of packets over a period of time. This might allow some extra packets to go through. Therefore, to ensure accuracy, the limit keyword was added to allow counting to be done in a strict time. When limit is enabled the packet count is more accurate.
Example:
F-SBID( --name DHCP.FLOOD; --protocol UDP; --service DHCP; --dhcp_type 1; --rate 100,10; --track DHCP_CLIENT; )

This signature indicates that if IPS sees DHCP discover requests (--dhcp_type 1;) more than 100 times within 10 seconds (--rate 100,10;) from the same DHCP client (--track dhcp_client;), then an alert is generated.

Previous
Next