Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
magurayu
New Contributor

how convert this rule?

How to convert this rule to fortigate use?

 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;)

4 REPLIES 4
emnoc
Esteemed Contributor III

You can thank bob on this one;

 

http://camerabob.dyndns.org:5190/Fortigate/

 

 

F-SBID ( --name SID30918; --protocol tcp; --flow to_server,established; --content "User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; --content !"Accept"; --revision 1;)

Also FTNT has a snort to IPS rule convertor that  does a half-way decent conversion for basic rules, but you really to dissect the rule and understand the FGT IPS syntax imho. YMMV depending on how complex or not the source SNORT.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
magurayu
New Contributor

i have tried the website as per your reply. however, it is still can not be used.i dont know why?

FW version:v5.0,build0292

rwpatterson
Valued Contributor III

I don't know if your reply was that you tried and it did not work, or if the server was down. I have been working on the web server over the past few days. I ran you snippet through it and got the below:

 

F-SBID ( --name SID30918; --protocol tcp; --flow to_server,established; --content "User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; --content !"Accept"; --revision 1;)

 

The below was removed:

(001)(msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; )

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson
Valued Contributor III

From my limited exposure to SNORT and Forti-snort, I have learned that there are certain qualifiers that do not translate into the Fortigate version. You have to read the manual and figure out the best way around that issue. Please don't ask me which ones. I wrote that piece of code years ago and don't recall what the differences were at the time.

 

From the attached notes, the below were dropped due to the fact that at the time the code was written, the Fortigates would not accept them:

 msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla";  metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http;  reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/;  classtype:trojan-activity;

 

Don't know if you read the notes below the script boxes:

 

    These notes were present in the PERL script presented on the forums a while back.  The only   reason I changed the revision numbers is that the original code was ported for command line   only.  I converted it (after 4 long stagnant years!) to HTML for easier web access.  Read on,   and let me know if there are any glaring mistakes in either mine, or the original author's   (dturnbull@fortinet.com) notes.  I don't know SNORT at all, so I had to find some samples   on the Internet for testing.  They seemed to parse OK, so do your worst! :)  By the way,   multiple line rules DO NOT WORK! Comments and blank lines are good.      Thanks and enjoy.  -Bob Patterson                                                                                                            Revision history:  Intends to convert SNORT .rules files to Fortinet format &nbsp dturnbull@fortinet.com   0.1   27-Sep-2004   Initial version   0.2   28-Sep-2004   Supports multiple content entries and added distance, uri, removes msg,                      reference and classtype changed how matching was done, much simpler now!   0.3   01-Nov-2004   Added icmp*   0.4   01-Nov-2008   Converted to web based HTML format   0.4a  02-Nov-2008   Added (this online) documentation and some new conversions based on both                      the SNORT 2.0.0 online docs and the Fortigate v3.00 MR6 IPS guide.                       Added the source and destination address transferral                       Added support for multi-line rules   0.4b  03-Nov-2008   Added support for 'pcre' command and other SNORT v2.8.3 commands as well   0.4c  05-Nov-2008   Added the exceptions window to show what SNORT commands were not accepted                       Added line numbers for exception comparison as well   0.4d  13-Nov-2008   Added quotes around the 'content' field                       Removed the 'threshold' command from the FGT config   0.4e  17-Nov-2008   Fixed the double quote issue                       Added the Fortigate rule count   1.0   19-Nov-2008   Cleaned up PERL code   1.1   01-Jun-2011   The program will now add a name of "SID000000" if no "sid:" identifier is                      found in the SNORT rule.                                                                                                            Commands supported in this script:  The following SNORT syntax is supported in this script.  (re: the new additions I made: Just because the syntax is supported for conversion doesn't mean the Fortigate understands the options transferred over. Use due diligence when testing the signatures on your unit.)         SNORT = FORTIGATE      (v2.8.3) = (v3.00 MR7)          ack: = --ack                                   (added 11/2008 -rp)    byte_jump: = --byte_jump                             (added 11/2008 -rp)    byte_test: = --byte_test                             (added 11/2008 -rp)    classtype: = <not used>                              (deleted from rule)      content: = --content        depth: = --depth     distance: = --distance        dsize: = --data_size                             (added 11/2008 -rp)        <none> = --dst_addr [!]<ipv4>          (transferred from SNORT rule)        <none> = --dst_port [!]                (transferred from SNORT rule)                   {<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>}        flags: = --tcp_flags                             (added 11/2008 -rp)         flow: = --flow      icmp_id: = --icmp_id     icmp_seq: = --icmp_seq        icode: = --icmp_code           id: = --ip_id                                 (added 11/2008 -rp)     ip_proto: = --protocol                              (added 11/2008 -rp)     ipoption: = --ip_option                             (added 11/2008 -rp)     isdataat: = <not used>                              (deleted from rule)        itype: = --icmp_type     metadata: = <not used>                              (deleted from rule)          msg: = <not used>                              (deleted from rule)       nocase: = --no_case       offset: = --offset         pcre: = --pcre                                  (added 11/2008 -rp)                    (similar to regex, but not quite. What a bear to get around....  -rp)        react: = not set in custom sig, use GUI    reference: = <not supported>                         (deleted from rule)         resp: = not set in custom sig, use GUI          rev: = --revision          rpc: = --rpc_num                               (added 11/2008 -rp)       sameip: = --same_ip                               (added 11/2008 -rp)          seq: = --seq                                   (added 11/2008 -rp)          sid: = --name (generated from original code, informational & optional)        <none> = --src_addr [!]<ipv4>          (transferred from SNORT rule)        <none> = --src_port [!]                (transferred from SNORT rule)                   {<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>}    threshold: = <not supported>   (deleted from rule, added 11/13/2008 -rp)          tos: = --ip_tos                                (added 11/2008 -rp)          ttl: = --ip_ttl                                (added 11/2008 -rp)   uricontent: = --uri       within: = --within                                                                                                            Commands only known to Fortigate v3.00 MR6:        <none> = --attack_id (informational, optional)        <none> = --context {uri |header | body | host}        <none> = --data_at <offset_int>[,relative]        <none> = --default_action (informational, optional)        <none> = --icmp_code        <none> = --icmp_type        <none> = --pattern        <none> = --service (or by port)                   Standard port: DNS, DCERPC, FTP, H323, IMAP, LDAP, MSSQL, NBSS, POP3,                                  RADIUS, RPC, SMTP, SNMP, TELNET                   Any port: HTTP, SIP, SSH, SSL        <none> = --window_size List of Fortigate IPS commands obtained from: (link updated 2011-06-01)      http://docs.forticare.com...hives/3.0/techdocs/...           FortiGate_IPS_Guide_01_30007_0080_20080916.pdf                                                                                                            Commands only known to SNORT v2.0.0: (unless otherwise noted)  activates    = (version 2.8.3)  activated_by = (version 2.8.3)  asn1         = (version 2.8.3)  classtype    = <not used>                              (deleted from rule)  content-list = search for a set of patterns in the packet's payload  count        = (version 2.8.3)  cvs          = (version 2.8.3)  fast_pattern = (version 2.8.3)  flowbits     = (version 2.8.3)  fragbits     = test the fragmentation bits of the IP header  fragoffset   = (version 2.8.3)  ftpbounce    = (version 2.8.3)  http_client_body = (version 2.8.3)  http_cookie  = (version 2.8.3)  http_header  = (version 2.8.3)  http_method  = (version 2.8.3)  http_uri     = (version 2.8.3)  isdataat     = <not supported>         (deleted from rule - version 2.8.3)  logto        = log the packet to a user specified filename instead of the standard output file  metadata     = <not supported>         (deleted from rule - version 2.8.3)  msg          = <not supported>                         (deleted from rule)  priority     = rule severity identifier  rawdata      = (version 2.8.3)  reference    = <not supported>                         (deleted from rule)  regex        = wildcard pattern matching  resp*        = active response (knock down connections, etc)  session      = dumps the application layer information for a given session  stateless    = valid regardless of stream state  stream_size  = (version 2.8.3)  tag          = advanced logging actions for rules  urilen       = (version 2.8.3) Note: * - Used in Fortigate, but configured from the GUI List of SNORT rules options obtained from:      http://www.snort.org/docs.../chap2.html#tth_sEc2.3 (v2.0.0)      http://www.snort.org/docs...tmanuals/htmanual_283/ (v2.8.3)                                                                                       

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors