Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
simonorch
Contributor

Custom app sig for a non-standard browser type

I'm having trouble getting a custom app ctrl sig to work on 5.4.1. Basically i want to identify the use of a special type of browser, it's present in the user-agent field as 'Shield' and the header includes the unique field 'X-SHIELD-ID:'

I've got an app ctrl sensor that passes everything and a custom override with the sig below set to monitor, however the log identifies the app as http.browser_ie , which it basically is.

Can anyone see anything wrong in the syntax i've used, if not, is there another reason why this is getting logged at IE and not the custom sig?

 

GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko; Shield X-SHIELD-ID: d0131c8c-fa23-4e74-9e1d-d6b8fa9489ed

 

F-SBID( --name "Shielded_Browser"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern "Shield"; --context header; --no_case; --app_cat 25; )

1 Solution
simonorch
Contributor

Just thought i'd report back how we got this signature to work, it may help others in the future.

 

As the browser was basically IE, the IE signature was 'beating' the custom signature. All we had to do was add the weight value to the sig and it worked

 

--weight 20; 

 

 

View solution in original post

1 REPLY 1
simonorch
Contributor

Just thought i'd report back how we got this signature to work, it may help others in the future.

 

As the browser was basically IE, the IE signature was 'beating' the custom signature. All we had to do was add the weight value to the sig and it worked

 

--weight 20; 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors