How to convert this rule to fortigate use?
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;)
You can thank bob on this one;
http://camerabob.dyndns.org:5190/Fortigate/
F-SBID ( --name SID30918; --protocol tcp; --flow to_server,established; --content "User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; --content !"Accept"; --revision 1;)
Also FTNT has a snort to IPS rule convertor that does a half-way decent conversion for basic rules, but you really to dissect the rule and understand the FGT IPS syntax imho. YMMV depending on how complex or not the source SNORT.
PCNSE
NSE
StrongSwan
i have tried the website as per your reply. however, it is still can not be used.i dont know why?
FW version:v5.0,build0292
I don't know if your reply was that you tried and it did not work, or if the server was down. I have been working on the web server over the past few days. I ran you snippet through it and got the below:
F-SBID ( --name SID30918; --protocol tcp; --flow to_server,established; --content "User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; --content !"Accept"; --revision 1;)
The below was removed:
(001)(msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; )
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
From my limited exposure to SNORT and Forti-snort, I have learned that there are certain qualifiers that do not translate into the Fortigate version. You have to read the manual and figure out the best way around that issue. Please don't ask me which ones. I wrote that piece of code years ago and don't recall what the differences were at the time.
From the attached notes, the below were dropped due to the fact that at the time the code was written, the Fortigates would not accept them:
msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity;
Don't know if you read the notes below the script boxes:
These notes were present in the PERL script presented on the forums a while back. The only reason I changed the revision numbers is that the original code was ported for command line only. I converted it (after 4 long stagnant years!) to HTML for easier web access. Read on, and let me know if there are any glaring mistakes in either mine, or the original author's (dturnbull@fortinet.com) notes. I don't know SNORT at all, so I had to find some samples on the Internet for testing. They seemed to parse OK, so do your worst! :) By the way, multiple line rules DO NOT WORK! Comments and blank lines are good. Thanks and enjoy. -Bob Patterson Revision history: Intends to convert SNORT .rules files to Fortinet format   dturnbull@fortinet.com 0.1 27-Sep-2004 Initial version 0.2 28-Sep-2004 Supports multiple content entries and added distance, uri, removes msg, reference and classtype changed how matching was done, much simpler now! 0.3 01-Nov-2004 Added icmp* 0.4 01-Nov-2008 Converted to web based HTML format 0.4a 02-Nov-2008 Added (this online) documentation and some new conversions based on both the SNORT 2.0.0 online docs and the Fortigate v3.00 MR6 IPS guide. Added the source and destination address transferral Added support for multi-line rules 0.4b 03-Nov-2008 Added support for 'pcre' command and other SNORT v2.8.3 commands as well 0.4c 05-Nov-2008 Added the exceptions window to show what SNORT commands were not accepted Added line numbers for exception comparison as well 0.4d 13-Nov-2008 Added quotes around the 'content' field Removed the 'threshold' command from the FGT config 0.4e 17-Nov-2008 Fixed the double quote issue Added the Fortigate rule count 1.0 19-Nov-2008 Cleaned up PERL code 1.1 01-Jun-2011 The program will now add a name of "SID000000" if no "sid:" identifier is found in the SNORT rule. Commands supported in this script: The following SNORT syntax is supported in this script. (re: the new additions I made: Just because the syntax is supported for conversion doesn't mean the Fortigate understands the options transferred over. Use due diligence when testing the signatures on your unit.) SNORT = FORTIGATE (v2.8.3) = (v3.00 MR7) ack: = --ack (added 11/2008 -rp) byte_jump: = --byte_jump (added 11/2008 -rp) byte_test: = --byte_test (added 11/2008 -rp) classtype: = <not used> (deleted from rule) content: = --content depth: = --depth distance: = --distance dsize: = --data_size (added 11/2008 -rp) <none> = --dst_addr [!]<ipv4> (transferred from SNORT rule) <none> = --dst_port [!] (transferred from SNORT rule) {<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>} flags: = --tcp_flags (added 11/2008 -rp) flow: = --flow icmp_id: = --icmp_id icmp_seq: = --icmp_seq icode: = --icmp_code id: = --ip_id (added 11/2008 -rp) ip_proto: = --protocol (added 11/2008 -rp) ipoption: = --ip_option (added 11/2008 -rp) isdataat: = <not used> (deleted from rule) itype: = --icmp_type metadata: = <not used> (deleted from rule) msg: = <not used> (deleted from rule) nocase: = --no_case offset: = --offset pcre: = --pcre (added 11/2008 -rp) (similar to regex, but not quite. What a bear to get around.... -rp) react: = not set in custom sig, use GUI reference: = <not supported> (deleted from rule) resp: = not set in custom sig, use GUI rev: = --revision rpc: = --rpc_num (added 11/2008 -rp) sameip: = --same_ip (added 11/2008 -rp) seq: = --seq (added 11/2008 -rp) sid: = --name (generated from original code, informational & optional) <none> = --src_addr [!]<ipv4> (transferred from SNORT rule) <none> = --src_port [!] (transferred from SNORT rule) {<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>} threshold: = <not supported> (deleted from rule, added 11/13/2008 -rp) tos: = --ip_tos (added 11/2008 -rp) ttl: = --ip_ttl (added 11/2008 -rp) uricontent: = --uri within: = --within Commands only known to Fortigate v3.00 MR6: <none> = --attack_id (informational, optional) <none> = --context {uri |header | body | host} <none> = --data_at <offset_int>[,relative] <none> = --default_action (informational, optional) <none> = --icmp_code <none> = --icmp_type <none> = --pattern <none> = --service (or by port) Standard port: DNS, DCERPC, FTP, H323, IMAP, LDAP, MSSQL, NBSS, POP3, RADIUS, RPC, SMTP, SNMP, TELNET Any port: HTTP, SIP, SSH, SSL <none> = --window_size List of Fortigate IPS commands obtained from: (link updated 2011-06-01) http://docs.forticare.com...hives/3.0/techdocs/... FortiGate_IPS_Guide_01_30007_0080_20080916.pdf Commands only known to SNORT v2.0.0: (unless otherwise noted) activates = (version 2.8.3) activated_by = (version 2.8.3) asn1 = (version 2.8.3) classtype = <not used> (deleted from rule) content-list = search for a set of patterns in the packet's payload count = (version 2.8.3) cvs = (version 2.8.3) fast_pattern = (version 2.8.3) flowbits = (version 2.8.3) fragbits = test the fragmentation bits of the IP header fragoffset = (version 2.8.3) ftpbounce = (version 2.8.3) http_client_body = (version 2.8.3) http_cookie = (version 2.8.3) http_header = (version 2.8.3) http_method = (version 2.8.3) http_uri = (version 2.8.3) isdataat = <not supported> (deleted from rule - version 2.8.3) logto = log the packet to a user specified filename instead of the standard output file metadata = <not supported> (deleted from rule - version 2.8.3) msg = <not supported> (deleted from rule) priority = rule severity identifier rawdata = (version 2.8.3) reference = <not supported> (deleted from rule) regex = wildcard pattern matching resp* = active response (knock down connections, etc) session = dumps the application layer information for a given session stateless = valid regardless of stream state stream_size = (version 2.8.3) tag = advanced logging actions for rules urilen = (version 2.8.3) Note: * - Used in Fortigate, but configured from the GUI List of SNORT rules options obtained from: http://www.snort.org/docs.../chap2.html#tth_sEc2.3 (v2.0.0) http://www.snort.org/docs...tmanuals/htmanual_283/ (v2.8.3)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
User | Count |
---|---|
1911 | |
1141 | |
769 | |
447 | |
277 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.