Technical Tip: Common custom application signatures to block

sahmed_FTNT · ‎10-11-2024

Description

This article describes common application signatures to block.

Scope

All supported versions of FortiOS.

Solution

To create a custom signature, follow the steps in Blocking applications with custom signatures and in Technical Tip: How to configure custom IPS signature for a specific web site.

This article lists configuration examples with application signatures that users commonly need to block. Copy them to block the corresponding applications.

YouTube APP on mobile:

config application custom
edit "Youtube.custom"

set comment ''

set signature "F-SBID( --attack_id 2233; --name \"Youtube.custom\"; --protocol udp; -- app_cat 5; --weight 20; --flow from_client; --byte_test 1,~,0x30,0; --byte_test 1,>,0xbf,0; -- pcre \"/\\x00\\x00\\x00\\x01/\"; --context packet; --distance 1,context; --within 4,context; -- byte_test 1,<,21,0,relative; --byte_jump 1,0,relative; --byte_test 1,<,21,0,relative; )"
set category 5

Zalo APP:

config application custom
edit "Zalo.Tag.Cli.Custom"
set signature "F-SBID( --attack_id 7530; --name \"Zalo.Tag.Cli.Custom\";--protocol tcp;

--flow from_Client;--seq =,1,relative; --data_size <0x70; --pattern \"User-Agent: Mozilla/5.0|0d 0a|\";

--context packet; --distance 0,context; --tag SET,Zalo.Enc.Comm.Cli.Custom;

--weight 20;--app_cat 28;)"
set category 28
next

edit "Zalo.Tag.Server.Custom"
set signature "F-SBID( --attack_id 2855; --name \"Zalo.Tag.Server.Custom\";

--protocol tcp; --flow from_server; --seq =,1,relative; --data_size =19;

--pattern \"HTTP/1.0 200 OK|0d 0a 0d 0a|\"; --context packet; --within 19,context;

--tag TEST,Zalo.Enc.Comm.Cli.Custom; --tag SET,Zalo.Enc.Comm.Server.Custom;

--weight 20;--app_cat 28;)"
set category 28
next

edit "Zalo.DETECT.Custom"
set signature "F-SBID( --attack_id 7862; --name \"Zalo.DETECT.Custom\";--protocol tcp;

--flow from_client; --data_size =275; --pattern \"|13 01 00 00|\"; --context packet;

--within 4,context; --tag TEST,Zalo.Enc.Comm.Server.Custom; --weight 20;--app_cat 28;)"
set category 28
next

edit "Zalo.fail.Over.Zing.Custom"
set signature "F-SBID( --attack_id 2506; --name \"Zalo.fail.Over.Zing.Custom\";--protocol tcp;

--service ssl; --pattern \"failover.zingmp3.vn\"; --context host; --distance 0,context;

--weight 20;--app_cat 28;)"
set category 28
next

edit "Zalo.UDP.Custom"
set signature "F-SBID( --attack_id 3774; --name \"Zalo.UDP.Custom\"; --protocol udp;

--flow from_client; --pattern \"|01 01 00 00 00 00|\"; --context packet; --pattern \"|65 97 3e 00|\";

--context packet; --distance 4; --app_cat 28; --weight 20;)"
set category 28
next

edit "Zalo.UDP.Custom2"

set signature "F-SBID( --attack_id 2596; --name \"Zalo.UDP.Custom2\";

--protocol udp; --dst_addr 42.119.138.0/24; --app_cat 28; --weight 20;)"
set category 28
next
end

Monkey APP:

config application custom

edit "Monkey App"

set signature "F-SBID( --attack_id 2918; --name \"monkey.SSL.Custom\"; --protocol tcp;

--service ssl; --pattern \".monkey.cool\"; --context host; --no_case; --app_cat 23;

--weight 20; )"
set category 23

Webmail Bluewin:

config application custom

edit "bluewin"

set signature "F-SBID(--name "Mail.bluewin.ch.Custom"; --protocol tcp; --service HTTP;

--flow from_client; --app_cat 21; --weight 20; --pattern "bluewin.ch"; --context host;

--no_case; --pcre "/\/.*\/email/"; --context uri; --no_case; --within 30,context;)"

set category 23

Webmail Hispeed:

config application custom

edit "hispeed"

set signature "F-SBID(--name "Mail.hispeed.ch.Custom"; --protocol tcp; --service SSL;

--app_cat 21; --weight 20; --pattern "upcmail.hispeed.ch"; --context host; --no_case;)"

set category 23

Webmail Sunrise:

config application custom

edit "sunrise"

set signature "F-SBID(--name "Mail.sunrise.ch.Custom"; --protocol tcp; --service SSL;

--app_cat 21; --weight 20; --pattern "mip.sunrise.ch"; --context host; --no_case;)"

set category 23

Telegram:

config application custom

edit "telegram"

set signature "F-SBID( --name "Telegram.Custom"; --flow from_client; --app_cat 28;

--protocol tcp; --dst_port 443; --dst_addr [149.154.172.0/22,149.154.160.0/22,149.154.164.0/22,91.108.4.0/22,91.108.56.0/22,

95.161.64.0/22,2001:b28:f23d::/48,2001:67c:4e8::/48];)"

set category 23

Telegram File Transfer:

config application custom

edit "telegram-file"

set signature "F-SBID( --name "Telegram.FileTransfer.Custom"; --protocol tcp;

--flow from_client; --dst_port 443; --seq >,23000,relative; --ack <,1000,relative;

--data_size >1024; --dst_addr [149.154.172.0/22,149.154.164.0/24,91.108.56.0/24];

--pattern !"|16 03|"; --context packet; --within 2,context; --pattern !"|17 03|";

--context packet; --within 2,context; --app_cat 28; --weight 20; )"

set category 23

config application custom

edit "telegram-file-download"

set signature "F-SBID( --name "Telegram.FileTransfer.Custom2"; --protocol tcp;

--flow from_server; --src_port 443; --seq >,12000,relative; --ack <,1000,relative;

--data_size >1024; --src_addr [149.154.172.0/22,149.154.164.0/24,91.108.56.0/24];

--pattern !"|16 03|"; --context packet; --within 2,context; --pattern !"|17 03|";

--context packet; --within 2,context; --app_cat 28; --weight 20; )"

set category 23

config application custom

edit "telegram-file-upload"

set signature "F-SBID( --name "Telegram.FileTransfer.upload.Custom"; --protocol tcp;

--flow from_client; --dst_port 443; --seq >,10000,relative; --ack <,1000,relative;

--data_size >1024; --dst_addr [149.154.172.0/22,149.154.170.0/22,149.154.164.0/24,91.108.56.0/24,149.154.171.0/24,

149.154.167.0/24]; --pattern !"|16 03|"; --context packet; --within 2,context; --pattern !"|17 03|"; --context packet; --within 2,context; --app_cat 28; --weight 20; )"

set category 23

ADGUARD VPN:

config application custom

edit "Adguard-VPN"

set signature "F-SBID( --attack_id 4042; --name \"Adguard.SSL.Custom\"; --protocol tcp; --service ssl; --pattern \".adguard.io\"; --context host; --no_case; --app_cat 6; --weight 20; )"

set category 6

edit "Adguard-custom 2"

set signature "F-SBID( --attack_id 3248; --name \"Adguard.SSL.Custom7\"; --protocol tcp; --service ssl; --flow from_client; --pattern \"rawdifficulty.live\"; --context host; --no_case; --app_cat 6; --weight 20; )"

set category 6

Google Gemini:

config application custom

edit "Google-Gemini-App"

set signature "F-SBID( --name "Google.Gemini.Custom"; --protocol tcp; --service SSL; --app_cat 36; --pattern "proactivebackend-pa.googleapis.com"; --context host; --no_case; --weight 10; )"

set category 36

Chrome extension - 1VPN:

config application custom

edit "1VPN.Custom"

set signature "F-SBID( --name "1VPN.Custom"; --app_cat 6; --weight 20; --protocol tcp; --service ssl; --pattern ".cloud"; --context host; --pattern "cdn"; --context host; --within 10; --pattern ".site"; --context host;)"

set category 6

Technical Tip: Common custom application signatures to block

You are leaving our website