Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 3.6.0 Custom IPS and Application Control Signature Syntax Guide

UDP header options

3.6.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0
Copy Link
Copy Doc ID f21167b4-200c-11e9-b6f6-f8bc1258b856:423833
Download PDF

UDP header options

Use these options to check the UDP header:

src_port

Check the source port number or range.

Syntax:
--src_port [!]<number>;

The placement of : indicates less than or equal to:

--src_port [!]:<number>;

The placement of : indicates greater than or equal to:

--src_port [!]<number>:;

The placement of : indicates a range, exclusive of endpoints:

--src_port [!]<number>:<number>;

The optional prefix ! means exclude.

Example:
--src_port 1000:;

dst_port

Check the destination port number or range.

Syntax:
--dst_port [!]<number>;

Equal to:

--dst_port [!]:<number>;

Greater than or equal to:

--dst_port [!]<number>:;

Range, exclusive of endpoints:

--dst_port [!]<number>:<number>; placement of : indicates  a range, exclusive of endpoints

The optional prefix ! means exclude.

Example:
--dst_port 200:300;

udp.src_port, udp.dst_port, udp.length, udp.checksum

Check these fields in the UDP header.

Syntax:
 --udp.[decorations] <operator> <value>;

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Example:
 --udp.scr_port in [1111,2222];

udp[offset]

Access any fields in UDP header in freelance mode.

Syntax: 
--udp[offset] <operator> <value> [, word size] [, endianness];

Both word size and endianness are optional. By default, the engine uses BYTE and big endian.

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Example: 
--udp[20] &0xF0 = 0x30;
Previous
Next

UDP header options

Use these options to check the UDP header:

src_port

Check the source port number or range.

Syntax:
--src_port [!]<number>;

The placement of : indicates less than or equal to:

--src_port [!]:<number>;

The placement of : indicates greater than or equal to:

--src_port [!]<number>:;

The placement of : indicates a range, exclusive of endpoints:

--src_port [!]<number>:<number>;

The optional prefix ! means exclude.

Example:
--src_port 1000:;

dst_port

Check the destination port number or range.

Syntax:
--dst_port [!]<number>;

Equal to:

--dst_port [!]:<number>;

Greater than or equal to:

--dst_port [!]<number>:;

Range, exclusive of endpoints:

--dst_port [!]<number>:<number>; placement of : indicates  a range, exclusive of endpoints

The optional prefix ! means exclude.

Example:
--dst_port 200:300;

udp.src_port, udp.dst_port, udp.length, udp.checksum

Check these fields in the UDP header.

Syntax:
 --udp.[decorations] <operator> <value>;

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Example:
 --udp.scr_port in [1111,2222];

udp[offset]

Access any fields in UDP header in freelance mode.

Syntax: 
--udp[offset] <operator> <value> [, word size] [, endianness];

Both word size and endianness are optional. By default, the engine uses BYTE and big endian.

Valid operators: =, !=, >=, <=, &, |, ^, and in.

Example: 
--udp[20] &0xF0 = 0x30;
Previous
Next