All custom signatures have a header and at least one keyword/value pair. The header is always the same:F-SBID( )The keyword/value pairs appear within the parentheses and each pair is followed by a semicolon.
Every custom signature requires a name, so it is a good practice to assign a name before adding any other keywords. Use the --name keyword to assign the custom signature a name. The name value follows the keyword after a space. Enclose the name value in double quotes:
F-SBID( --name "File.Hash.Example"; )
The signature, as it appears here, will not do anything if used. It has a name, but does not look for any patterns in network traffic.
Use the --protocol tcp keyword to limit the effect of the custom signature to only TCP traffic. This will save system resources by not unnecessarily scanning UDP and ICMP traffic.
F-SBID( --name "File.Hash.Example"; --protocol tcp; )
The FortiGate unit will limit its search for the pattern to TCP traffic and ignore UDP and ICMP network traffic.
Use the --crc32 keyword. This indicates that the value that follows is a hexadecimal number that represents the CRC32 checksum of the file. The --crc32 keyword also requires that the file length is included. The syntax is --crc32 <checksum>,<file-length>;. The following example shows the syntax for a file with checksum 51480492 and file length 822.
F-SBID( --name "File.Hash.Example"; --protocol tcp; --crc32 51480492,822; )