FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff
Article Id 207522
Description This article describes custom signature fields and syntax and also how to use them to generate a custom signature with a simpler signature.
Scope FortiGate
Solution

Signature to block access to example.com.

 
This example shows how to create a custom signature to block access to the
example.com URL.
 
1) Custom signature basic format.
 
All custom signatures have a header and at least one keyword/value pair.
The header is always the same:
 
F-SBID( )
 
The keyword/value pairs appear within the parentheses and each pair is followed
by a semicolon.
 
2) Choosing a name for the custom signature.
 
Every custom signature requires a name, so it is good practice to assign a name
before any other keywords are added.
 
Use the --name keyword to assign the custom signature a name.
 
The name value follows the keyword after a space. Enclose the name value in double-quotes:
 
F-SBID( --name "Block.example.com"; )
 
The signature, as it appears here, will not do anything if used.
It has a name but does not look for any patterns in network traffic.
A pattern must be specified for the  FortiGate unit to search for.
 
3) Adding a signature pattern.
 
Use the --pattern keyword to specify what the FortiGate unit will search for:
 
F-SBID( --name "Block.example.com"; --pattern "example.com"; )
 
The signature will now detect the example.com URL appearing in network traffic.
The custom signature should only detect the URL in HTTP traffic, however.
Any other traffic with the URL should be allowed to pass.
For example, an Email message to or from example.com should not be stopped.
 
4) Specifying the service.
 
Use the --service keyword to limit the effect of the custom signature to only the HTTP protocol.
 
F-SBID( --name "Block.example.com"; --pattern "example.com"; --service HTTP; )
 
The FortiGate will limit its search for the pattern to the HTTP protocol.
Even though the HTTP protocol uses only TCP traffic, the FortiGate will search for
HTTP protocol communication in TCP, UDP, and ICMP traffic.
This is a needlesswaste of system resources.
 
5) Specifying the traffic type.
 
Use the --protocol tcp keyword to limit the effect of the custom signature to
only TCP traffic.
This will save system resources by not unnecessarily scanning UDP and ICMP traffic.
 
F-SBID( --name "Block.example.com"; --pattern "example.com"; --service HTTP; --protocol tcp; )
 
The FortiGate will limit its search for the pattern to TCP traffic and ignore UDP and ICMP network traffic.
 
6) Ignoring case sensitivity.
 
By default, patterns are case sensitive.
If a user-directed his or her browser to Example.com, the custom signature would not recognize the URL as a match.
Use the --no_case keyword to make the pattern matching case insensitive.
 
F-SBID( --name "Block.example.com"; --pattern "example.com"; --service HTTP; --no_case; )
 
Unlike all of the other keywords in this example, the --no_case keyword has no value.
Only the keyword is required.
 
7) Limiting pattern scans to only traffic sent from the client.
 
The --flow command can be used to further limit the network traffic being scanned to only that sent by the client or by the server.
 
F-SBID( --name "Block.example.com"; --pattern "example.com"; --service HTTP; --no_case;
--flow from_client; )
 
Web servers do not contact clients until clients first open a communication session.
Therefore, using the --flow from_client command will force the FortiGate
to ignore all traffic originating from the server.
Since the majority of HTTP traffic flows from the server to the client, this will save considerable system
resources and still maintain protection.
 
8 ) Specifying the context.
 
When the client browser tries to contact example.com, a DNS is first consulted to
get the example.com server IP address.
The IP address is then specified in the URL field of the HTTP communication.
The domain name will still appear in the host field so this custom signature will not function without the --context host keyword/value pair.
 
F-SBID( --name "Block.example.com"; --pattern "example.com"; --service HTTP; --no_case;
--flow from_client; --context host; )
 
CLI Syntax:
 
# config ips custom
edit "Block.Example.Custom"
set signature "F-SBID( --attack_id 5150; --name "Block.example.com"; --pattern "example.com"; --protocol tcp; --service HTTP; --no_case; --flow from_client; --context host;)"
set action block
set comment ''
next
end
 
Note.
If the custom IPS signature is added without the severity information, the default severity is critical.
Contributors