Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 3.6.0 Custom IPS and Application Control Signature Syntax Guide
3.6.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0

tag

tag

Use this keyword in a signature to mark a session with a named tag, or to check whether a tag has been set for a session.

Pattern matching with IPS signatures is essentially packet-based. The tag keyword is mainly used when attack patterns appear in more than one packet or in different directions. A signature that matches an earlier packet in an attack can mark the session with a named tag, and the existence of the tag can be tested when ensuing packets in the same session are scanned.

The matching algorithm guarantees the order in which signatures are scanned. The signatures are sorted based on their tag dependencies. During packet inspection, the signatures are matched in this order, so that signatures that depend on other signatures are always scanned later in the process.

Syntax:
--tag <op>, [!}<name>;

<name> indicates the name of a tag.

[!] is only allowed in test operations. It returns true if the tag does not exist.

The <op> value determines which operation is performed.

<op> Description
set

Mark the session with a named tag.
pset

Mark the session with a named tag and remember the last reference point. This reference point can be referred by using lasttag for keywords distance, within, distance_abs, and within_abs.

clear

Remove the specified tag from the session.
toggle

Toggle the specified tag (set <=> clear) in the session.

test

Test the existence of the specified tag. Add ! if the signature is to test the nonexistence of the specified tag.
reset

Clear all tags from the session.
Note

The name of a tag should only contain printable characters. It should not contain spaces, commas, exclamation marks, or semicolons.

By default, a newly-created tag is in the un-set state.

Patterns in tag set and tag test signatures can appear in the same packet together.
Examples:
--tag set,Tag.Rsync.Argument;
--tag clear,tag.login;
--tag test,Tag.Rsync.Argument;
--tag test, !DHTML.EDIT.CONTROL.CLSID;
Previous
Next

tag

Use this keyword in a signature to mark a session with a named tag, or to check whether a tag has been set for a session.

Pattern matching with IPS signatures is essentially packet-based. The tag keyword is mainly used when attack patterns appear in more than one packet or in different directions. A signature that matches an earlier packet in an attack can mark the session with a named tag, and the existence of the tag can be tested when ensuing packets in the same session are scanned.

The matching algorithm guarantees the order in which signatures are scanned. The signatures are sorted based on their tag dependencies. During packet inspection, the signatures are matched in this order, so that signatures that depend on other signatures are always scanned later in the process.

Syntax:
--tag <op>, [!}<name>;

<name> indicates the name of a tag.

[!] is only allowed in test operations. It returns true if the tag does not exist.

The <op> value determines which operation is performed.

<op> Description
set

Mark the session with a named tag.
pset

Mark the session with a named tag and remember the last reference point. This reference point can be referred by using lasttag for keywords distance, within, distance_abs, and within_abs.

clear

Remove the specified tag from the session.
toggle

Toggle the specified tag (set <=> clear) in the session.

test

Test the existence of the specified tag. Add ! if the signature is to test the nonexistence of the specified tag.
reset

Clear all tags from the session.
Note

The name of a tag should only contain printable characters. It should not contain spaces, commas, exclamation marks, or semicolons.

By default, a newly-created tag is in the un-set state.

Patterns in tag set and tag test signatures can appear in the same packet together.
Examples:
--tag set,Tag.Rsync.Argument;
--tag clear,tag.login;
--tag test,Tag.Rsync.Argument;
--tag test, !DHTML.EDIT.CONTROL.CLSID;
Previous
Next