Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fullmoon
Contributor III

Created on ‎11-19-2014 04:36 AM

how to add new signature

hi fellas,

 

im out of direction, how to add custom signatures? im running on fortios 5.2.1 and I want add signature thats block Psiphon3.

current version cant block the said application.

 

 

Regards,

Fortigate Newbie

Fortigate Newbie
16373
0 Kudos
1 Solution
Dave_Hall
Honored Contributor
In response to Fullmoon

Created on ‎11-19-2014 06:46 AM

Fullmoon wrote:

hi paulo thanks for the quick response.

[...] Seems cant find my self on how to add the said signatures.

 

Use the config ips custom setting from the CLI.  Also, people have posted examples, such as this one by emnoc (he has a nice tutorial on his blog).

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
25 KB
2468
0 Kudos
3 REPLIES 3
pcraponi
Contributor II

Created on ‎11-19-2014 04:59 AM

Start here: http://video.fortinet.com/video/81/create-custom-ips-signatures-to-block-attacks

 

and here: http://video.fortinet.com/uploads/documents/IPS%20Signature%20Syntax%20Guide.pdf

 

If exist a signature that does not work currently, it's more easy you open a ticket with IPS/AppCtrl team...

 

 

Regards,

Paulo

Regards, Paulo Raponi

Regards, Paulo Raponi
2424
0 Kudos
Fullmoon
Contributor III
In response to pcraponi

Created on ‎11-19-2014 05:12 AM

hi paulo thanks for the quick response.

I saw the video you provided and have the signatures already. Seems cant find my self on how to add the said signatures.

 

here's the signatures

 

F-SBID( --protocol tcp; --flow from_client; --dst_port :1000; --seq >,24,relative; --seq <,8220,relative; --pattern !"|17 03|"; --context packet; --within 2,context; --pattern !"|16 03|"; --context packet; --within 2,context; --pattern !"|00 00 00|"; --context packet; --within 37,context; --data_size =37; --tag test,Tag.Psiphon.SSH+.21.test; --app_cat 6; ) F-SBID( --protocol tcp; --seq =,1,relative; --service http; --flow from_client; --pattern "POST / HTTP/1.1"; --context packet; --within 15,context; --pattern "Host: "; --context packet; --distance 0; --pcre "/[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}/"; --distance 0; --within 15; --pattern "|3a|"; --context packet; --within 3; --pattern !"User-Agent"; --context packet; --no_case; --pattern "Accept-Encoding: gzip"; --context packet; --no_case; --data_size >24; --app_cat 6; ) F-SBID( --protocol tcp; --service http; --flow from_client; --pattern ".psiphon3."; --context host; --no_case; --app_cat 6; )

 

Fortigate Newbie

Fortigate Newbie
2424
0 Kudos
Dave_Hall
Honored Contributor
In response to Fullmoon

Created on ‎11-19-2014 06:46 AM

Fullmoon wrote:

hi paulo thanks for the quick response.

[...] Seems cant find my self on how to add the said signatures.

 

Use the config ips custom setting from the CLI.  Also, people have posted examples, such as this one by emnoc (he has a nice tutorial on his blog).

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
25 KB
2469
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.