index out of range error while trying to create new custom IPS signature in fortigate

nisrau · ‎12-18-2018

hi there.

i want it to monitor the order of the ciphersuites in a TLS client hello POP3S traffic via a custom ips signature. unfortunately for me i get this error "index out of range " when trying to create the custom rule.

here are my custom rule.

F-SBID( -name "custom.cipher.suites"; --protocol tcp; --service SSL; --flow from_ client; --parsed_type TLS_V2; --dst_port 995; --seq 1, relative; --pattern "|c0 30 00 9f c0 9f c0 2f 00 9e c0 9e 00 3d 00 35 00 3c 00 2f 00 0a 00 ff|"; --distance 59,packet; --within 1,packet;).

join to this post is my pcap screenshot showing what i want to monitor

PS: am not sure that my rule is well written, any help regarding this last one is more than appreciated.

nisrau · ‎12-20-2018

hi there.

while trying to troubleshoot the syntax of my custom signature i realize that no matter how tried to shrink it suspecting that maybe i am using a deprecated option or omitting something, i was getting the same error message: " index out of range" which lead me to think that i am missing something else here not related to the syntaxe.

PS: my custom signature of shring it is like: "F-SBID( -name "custom.cipher.suites"; --protocol tcp; --flow from_client; --dst_port 995; --dst_addr x.x.x.x; )"

any help would be greatly appréicated because a mlost.

best regards