Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Online Help

    6.2.2
    7.2.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.2
    6.2.1
    6.2.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Snort conversion wizard

    Snort conversion wizard

    Basic outline of a snort rule

    [action][protocol][sourceIP][sourceport] -> [destIP][destport] ( [Rule options] )

    | ---------------- Rule Header ------------------------------- |- Rule Options - |

    SNORT rule example

    alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24874; rev:3;)

    FGT custom IPS signature

    config ips custom

    edit "S24874R3"

    set signature "F-SBID(--name \"S24874R3\"; --protocol tcp; --service FTP; --flow from_server; --tag test,file.swf; --pattern \"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|\";)"

    set action block

    set status enable

    set log enable

    set comment ''

    next

    end

    Warning: The character "?" is a special character in the interactive console on FortiGate, so if it’s in the pcre of a signature, it won’t be saved. The workaround is to upload the IPS signature through the web GUI.
    "action" field

    Supported keyword

    alert

    Unsupported keyword

    log

    "protocol" field

    Supported keyword

    tcp/udp/ip/icmp/HTTP/FTP/POP3/SMTP/TELNET/SSH/IMAP/SNMP/RADIUS

    HTTP/FTP/POP3/SMTP/TELNET/SSH/IMAP ->; tcp

    SNMP/RADIUS ->; udp

    "sourceIP", "sourceport", "destIP" and "destport" fields

    Supported keyword

    Either "any" or "$xxxx" variable

    "Rule options" field

    Supported keywords

    Option Test input Test output
    byte_test byte_test:1,!&,0xF8,2; --byte_test 1,~,0xF8,2;
    byte_jump byte_jump:4,-10,relative,little; --byte_jump 4,-10,little,relative;
    threshold threshold:type limit, track by_src, count 1, seconds 60; --track SRC_IP; --rate 1,60;
    nocase nocase; --no_case;
    isdataat isdataat:50,relative; --data_at 50,relative;
    http_raw_uri http_raw_uri; --context uri;
    http_raw_cookie http_raw_cookie; --context header;
    http_raw_header http_raw_header; --context header;
    http_stat_code http_stat_code; --context banner;
    http_stat_msg http_stat_msg; --context banner;
    sip_header sip_header; --context header;
    sip_body sip_body; --context body;
    id id:123456; --ip_id 123456;
    dsize dsize:<400; --data_size <400;
    ipopts ipopts:lsrr; --ip_option lsrr;
    flags flags:SF,CE; --tcp_flags SF,CE;
    seq seq:0; --seq 0;
    ack ack:0; --ack 0;
    window window:55808; --window_size 55808;
    itype itype:>30; --icmp_type >30;
    icode icode:>30; --icmp_code >30;
    icmp_id icmp_id:0; --icmp_id 0;
    icmp_seq icmp_seq:0; --icmp_seq 0;
    rpc rpc:100000, *, 3; --rpc_num 100000, *, 3;
    sameip sameip; --same_ip;
    ttl ttl:<3; --ip_ttl <3;
    tos tos:!4; --ip_tos !4;
    content content:"OK LOGIN"; --pattern \"OK LOGIN\";
    flowbits flowbits:set,logged_in; flowbits:noalert; --tag set,logged_in; --tag quiet;
    flow flow:to_server,established; --flow from_client;
    pcre pcre:"/^User-Agent\x3A[^\r\n]*malware/miH"; --pcre \"/^User-Agent\x3A[^\r\n]*malware/mi\";
    uricontent uricontent:"testurl"; --pattern "testurl"; --context uri;
    ip_proto ip_proto:igmp; --protocol igmp;
    depth depth:8; --within 8,packet;
    offset offset:4; --distance 4,packet;
    within within:10; --within 10;
    distance distance:4; --distance 4;
    http_client_body http_client_body; --context body;
    http_cookie http_cookie; --context header;
    http_method http_method; --context uri;
    urilen urilen:5; --data_size 5,uri;
    metadata metadata:impact_flag red, service dns; --service DNS;
    sid sid:19644; --name \"S19644R4\";
    rev rev:4; --name \"S19644R4\";
    byte_extract byte_extract:1, 0, str_offset; --extract 1,0,$0;
    rawbytes rawbytes; --context packet_origin;
    msg msg:"Bad Stuff detected within field"; et comment "Bad Stuff detected within field"
    file_data file_data; --context file;
    pkt_data pkt_data; --context packet;
    detection_filter detection_filter:track by_src, count 30, seconds 60; --rate 30,60; --track SRC_IP;

    Unsupported keywords:

    Option Test input
    replace
    stream_reassemble
    stream_size
    cvs
    ftpbounce
    asn1
    fragbits
    fragoffset
    base64_decode
    base64_data
    sip_method
    sip_stat_code
    gtp_type
    gtp_info
    gtp_version
    ssl_state
    reference
    classtype
    priority
    gid
    fast_pattern
    logto
    session
    resp
    react
    tag
    activites
    activites_by
    http_encode
    count
    dce_iface
    dce_opnum
    dce_stub_data
    metadata
    protected_content
    hash
    length
    modbus_func
    dnp3_ind

    Previous
    Next

    Snort conversion wizard

    Snort conversion wizard

    Basic outline of a snort rule

    [action][protocol][sourceIP][sourceport] -> [destIP][destport] ( [Rule options] )

    | ---------------- Rule Header ------------------------------- |- Rule Options - |

    SNORT rule example

    alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ActionScript virtual machine opcode verifying code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:cve,2012-5271; reference:url,adobe.com/support/security/bulletins/apsb12-22.html; classtype:attempted-user; sid:24874; rev:3;)

    FGT custom IPS signature

    config ips custom

    edit "S24874R3"

    set signature "F-SBID(--name \"S24874R3\"; --protocol tcp; --service FTP; --flow from_server; --tag test,file.swf; --pattern \"|01 09 0A 2E D0 30 D0 5D 04 4A 04 00 68 01 D0 92 90 4E|\";)"

    set action block

    set status enable

    set log enable

    set comment ''

    next

    end

    Warning: The character "?" is a special character in the interactive console on FortiGate, so if it’s in the pcre of a signature, it won’t be saved. The workaround is to upload the IPS signature through the web GUI.
    "action" field

    Supported keyword

    alert

    Unsupported keyword

    log

    "protocol" field

    Supported keyword

    tcp/udp/ip/icmp/HTTP/FTP/POP3/SMTP/TELNET/SSH/IMAP/SNMP/RADIUS

    HTTP/FTP/POP3/SMTP/TELNET/SSH/IMAP ->; tcp

    SNMP/RADIUS ->; udp

    "sourceIP", "sourceport", "destIP" and "destport" fields

    Supported keyword

    Either "any" or "$xxxx" variable

    "Rule options" field

    Supported keywords

    Option Test input Test output
    byte_test byte_test:1,!&,0xF8,2; --byte_test 1,~,0xF8,2;
    byte_jump byte_jump:4,-10,relative,little; --byte_jump 4,-10,little,relative;
    threshold threshold:type limit, track by_src, count 1, seconds 60; --track SRC_IP; --rate 1,60;
    nocase nocase; --no_case;
    isdataat isdataat:50,relative; --data_at 50,relative;
    http_raw_uri http_raw_uri; --context uri;
    http_raw_cookie http_raw_cookie; --context header;
    http_raw_header http_raw_header; --context header;
    http_stat_code http_stat_code; --context banner;
    http_stat_msg http_stat_msg; --context banner;
    sip_header sip_header; --context header;
    sip_body sip_body; --context body;
    id id:123456; --ip_id 123456;
    dsize dsize:<400; --data_size <400;
    ipopts ipopts:lsrr; --ip_option lsrr;
    flags flags:SF,CE; --tcp_flags SF,CE;
    seq seq:0; --seq 0;
    ack ack:0; --ack 0;
    window window:55808; --window_size 55808;
    itype itype:>30; --icmp_type >30;
    icode icode:>30; --icmp_code >30;
    icmp_id icmp_id:0; --icmp_id 0;
    icmp_seq icmp_seq:0; --icmp_seq 0;
    rpc rpc:100000, *, 3; --rpc_num 100000, *, 3;
    sameip sameip; --same_ip;
    ttl ttl:<3; --ip_ttl <3;
    tos tos:!4; --ip_tos !4;
    content content:"OK LOGIN"; --pattern \"OK LOGIN\";
    flowbits flowbits:set,logged_in; flowbits:noalert; --tag set,logged_in; --tag quiet;
    flow flow:to_server,established; --flow from_client;
    pcre pcre:"/^User-Agent\x3A[^\r\n]*malware/miH"; --pcre \"/^User-Agent\x3A[^\r\n]*malware/mi\";
    uricontent uricontent:"testurl"; --pattern "testurl"; --context uri;
    ip_proto ip_proto:igmp; --protocol igmp;
    depth depth:8; --within 8,packet;
    offset offset:4; --distance 4,packet;
    within within:10; --within 10;
    distance distance:4; --distance 4;
    http_client_body http_client_body; --context body;
    http_cookie http_cookie; --context header;
    http_method http_method; --context uri;
    urilen urilen:5; --data_size 5,uri;
    metadata metadata:impact_flag red, service dns; --service DNS;
    sid sid:19644; --name \"S19644R4\";
    rev rev:4; --name \"S19644R4\";
    byte_extract byte_extract:1, 0, str_offset; --extract 1,0,$0;
    rawbytes rawbytes; --context packet_origin;
    msg msg:"Bad Stuff detected within field"; et comment "Bad Stuff detected within field"
    file_data file_data; --context file;
    pkt_data pkt_data; --context packet;
    detection_filter detection_filter:track by_src, count 30, seconds 60; --rate 30,60; --track SRC_IP;

    Unsupported keywords:

    Option Test input
    replace
    stream_reassemble
    stream_size
    cvs
    ftpbounce
    asn1
    fragbits
    fragoffset
    base64_decode
    base64_data
    sip_method
    sip_stat_code
    gtp_type
    gtp_info
    gtp_version
    ssl_state
    reference
    classtype
    priority
    gid
    fast_pattern
    logto
    session
    resp
    react
    tag
    activites
    activites_by
    http_encode
    count
    dce_iface
    dce_opnum
    dce_stub_data
    metadata
    protected_content
    hash
    length
    modbus_func
    dnp3_ind

    Previous
    Next