Hi experts,
we are testing some custom application signatures (WIP) and while the names/risk levels show up in traffic logs, they don't appear in FGT's FortiView application section (only custom rule numbers are shown there, no names and no risk level either).
Does anyone know if it's by design, a bug or is an addl. option available somewhere to enable the FortiView lookup?
This is from the traffic logs:
These are the custom signatures under test (provided fyio, work-in-progress):
F-SBID( --name "SSLv1.0"; --app_cat 15; --protocol tcp; --flow bi_direction; --service SSL; --parsed_type SSL_PCT; --technology 0; --vendor 0; --risk 5; --pop 0; ) F-SBID( --name "SSLv2.0"; --app_cat 15; --protocol tcp; --flow bi_direction; --service SSL; --parsed_type SSL_V2; --technology 0; --vendor 0; --risk 5; --pop 1; ) F-SBID( --name "SSLv3.0"; --app_cat 15; --protocol tcp; --flow bi_direction; --service SSL; --pattern "|16 03 00|"; --within 3,packet; --technology 0; --vendor 0; --risk 4; --pop 3; ) F-SBID( --name "TLSv1.0"; --app_cat 15; --protocol tcp; --flow bi_direction; --service SSL; --pattern "|16 03 01|"; --within 3,packet; --technology 0; --vendor 0; --risk 3; --pop 3; ) F-SBID( --name "TLSv1.1"; --app_cat 15; --protocol tcp; --flow bi_direction; --service SSL; --pattern "|16 03 02|"; --within 3,packet; --technology 0; --vendor 0; --risk 3; --pop 3; ) F-SBID( --name "TLSv1.2"; --app_cat 15; --protocol tcp; --flow bi_direction; --service SSL; --pattern "|16 03 03|"; --within 3,packet; --technology 0; --vendor 0; --risk 2; --pop 3; )
Each of the signatures is additionally completed on the CLI:
config application custom edit "<name here>" set comment '' set signature "<signature here>" set category 15 set protocol TCP SSL set technology Network-Protocol set vendor Other next
(using the definitions this way requires to override the rules individually, otherwise only 'SSL' is detected).
All comments are appreciated.
