I'm having trouble getting a custom app ctrl sig to work on 5.4.1. Basically i want to identify the use of a special type of browser, it's present in the user-agent field as 'Shield' and the header includes the unique field 'X-SHIELD-ID:'
I've got an app ctrl sensor that passes everything and a custom override with the sig below set to monitor, however the log identifies the app as http.browser_ie , which it basically is.
Can anyone see anything wrong in the syntax i've used, if not, is there another reason why this is getting logged at IE and not the custom sig?
GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko; Shield X-SHIELD-ID: d0131c8c-fa23-4e74-9e1d-d6b8fa9489ed
F-SBID( --name "Shielded_Browser"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern "Shield"; --context header; --no_case; --app_cat 25; )
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Just thought i'd report back how we got this signature to work, it may help others in the future.
As the browser was basically IE, the IE signature was 'beating' the custom signature. All we had to do was add the weight value to the sig and it worked
--weight 20;
Just thought i'd report back how we got this signature to work, it may help others in the future.
As the browser was basically IE, the IE signature was 'beating' the custom signature. All we had to do was add the weight value to the sig and it worked
--weight 20;
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1095 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.