Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 3.6.0 Custom IPS and Application Control Signature Syntax Guide
3.6.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0

parsed_type

parsed_type

Use the parsed_type keyword to match a packet or session attribute that can be identified by the dissectors. A signature can have more than one --parsed_type keyword.

Syntax:
--parsed_type <type>;

<type>

Description

SSL_PCT

SSL_V2

SSL_V3

TLS_V1

TLS_V2

These types are used to identify the SSL and TLS versions.

SOCK4

SOCK5

These match sessions using the SOCKS 4 or SOCKS 5 proxy protocols.

HTTP_GET

The HTTP request method to be matched is GET. This is valid for the lifetime of the request.

In most cases, a signature using --parsed_type, similar to the one below:

--service HTTP; --parsed_type HTTP_GET;

can replace a pattern-based signature like this:

--service HTTP; --pattern "GET|20|" context uri; --within 4,context;

However, sometimes the GET string must be checked explicitly:

  • if it is not an HTTP session
  • when additional bytes must be matched, for example:
    --service HTTP; --pattern "GET|20|" context uri; --within 4,context; --pattern "|13 12 13|"; --context uri; --distance 0;

HTTP_POST

The HTTP request method to be matched is POST. This if valid for the lifetime of the request.

HTTP_CHUNKED

The Transfer-Encoding type of the HTTP request to be matched is chunked. This is valid for the lifetime of the request.

In most cases, a signature using the parsed_type keyword, similar to the one below:

--parsed_type HTTP_CHUNKED;

can replace one that looks for strings, like this: 

--service HTTP; --pattern "TransferEncoding"; --context header; --no_case; --pattern "chunked"; --context header; --no_case; --distance 1;
Examples:
--parsed_type HTTP_POST;
--parsed_type HTTP_GET;

The following are two versions of the same HTTP signature. The second one is faster and more accurate.

F-SBID ( --name "FrontPage.FP30reg.Chunked.Overflow"; --protocol tcp; --service HTTP; --flow from_client; --pattern "POST"; --context uri; --distance 0,context; --within 5,context; --pattern "/vti_bin/vti_aut/fp30reg.dll"; --context uri; --no_case; --distance 0; --pattern "TransferEncoding"; --context header; --no_case; --pattern "chunked"; --context header; no_case: --distance 1; )
F-SBID ( --name "FrontPage.FP30reg.Chunked.Overflow"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_POST; --pattern "/vti_bin/_vti_aut/fp30reg.dll"; --context uri; --no_case; --parsed_type HTTP_CHUNKED; )

The following two SSL signatures detect the same vulnerability. The second signature is better.

F-SBID( -name "SSL.PCT.Overflow"; --protocol tcp; --dst_port 443; --flow from_client; --tag test,!Tag.SSLv3.Web.443; --tag test,!Tag.SSLv2.Web.443; --tag test,!Tag.TLSv1.Web.443; --pattern "|01|"; --within 1,packet; --distance 2,packet; --byte_test 2,>,1,3; --byte_test 2,<,0x301,3; --byte_test 2,>,0,5; --byte_test 2,!,0,7; --byte_test 2,<,16,7; --byte_test 2,>,16,9; --byte_test 2,<,33,9; --pattern "|8F|"; --within 1,packet; --distance 11,packet; --byte_test 2,>,32768,0,relative; --data_size >300; )
F-SBID( --name "SSL.PCT.Overflow"; --protocol tcp; --flow from_client; --service SSL;--parsed_type SSL_PCT;--pattern "|01|"; --within 1,packet; --distance 2,packet; --byte_test 2,>,1,3; --byte_test 2,<,0x301,3; --byte_test 2,>,0,5; --byte_test 2,!,0,7; --byte_test 2,<,16,7; --byte_test 2,>,16,9; --byte_test 2,<,33,9; --pattern "|8F|"; --within 1,packet; --distance 11,packet; --byte_test 2,>,32768,0,relative; --data_size >300; )
Previous
Next

parsed_type

Use the parsed_type keyword to match a packet or session attribute that can be identified by the dissectors. A signature can have more than one --parsed_type keyword.

Syntax:
--parsed_type <type>;

<type>

Description

SSL_PCT

SSL_V2

SSL_V3

TLS_V1

TLS_V2

These types are used to identify the SSL and TLS versions.

SOCK4

SOCK5

These match sessions using the SOCKS 4 or SOCKS 5 proxy protocols.

HTTP_GET

The HTTP request method to be matched is GET. This is valid for the lifetime of the request.

In most cases, a signature using --parsed_type, similar to the one below:

--service HTTP; --parsed_type HTTP_GET;

can replace a pattern-based signature like this:

--service HTTP; --pattern "GET|20|" context uri; --within 4,context;

However, sometimes the GET string must be checked explicitly:

  • if it is not an HTTP session
  • when additional bytes must be matched, for example:
    --service HTTP; --pattern "GET|20|" context uri; --within 4,context; --pattern "|13 12 13|"; --context uri; --distance 0;

HTTP_POST

The HTTP request method to be matched is POST. This if valid for the lifetime of the request.

HTTP_CHUNKED

The Transfer-Encoding type of the HTTP request to be matched is chunked. This is valid for the lifetime of the request.

In most cases, a signature using the parsed_type keyword, similar to the one below:

--parsed_type HTTP_CHUNKED;

can replace one that looks for strings, like this: 

--service HTTP; --pattern "TransferEncoding"; --context header; --no_case; --pattern "chunked"; --context header; --no_case; --distance 1;
Examples:
--parsed_type HTTP_POST;
--parsed_type HTTP_GET;

The following are two versions of the same HTTP signature. The second one is faster and more accurate.

F-SBID ( --name "FrontPage.FP30reg.Chunked.Overflow"; --protocol tcp; --service HTTP; --flow from_client; --pattern "POST"; --context uri; --distance 0,context; --within 5,context; --pattern "/vti_bin/vti_aut/fp30reg.dll"; --context uri; --no_case; --distance 0; --pattern "TransferEncoding"; --context header; --no_case; --pattern "chunked"; --context header; no_case: --distance 1; )
F-SBID ( --name "FrontPage.FP30reg.Chunked.Overflow"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_POST; --pattern "/vti_bin/_vti_aut/fp30reg.dll"; --context uri; --no_case; --parsed_type HTTP_CHUNKED; )

The following two SSL signatures detect the same vulnerability. The second signature is better.

F-SBID( -name "SSL.PCT.Overflow"; --protocol tcp; --dst_port 443; --flow from_client; --tag test,!Tag.SSLv3.Web.443; --tag test,!Tag.SSLv2.Web.443; --tag test,!Tag.TLSv1.Web.443; --pattern "|01|"; --within 1,packet; --distance 2,packet; --byte_test 2,>,1,3; --byte_test 2,<,0x301,3; --byte_test 2,>,0,5; --byte_test 2,!,0,7; --byte_test 2,<,16,7; --byte_test 2,>,16,9; --byte_test 2,<,33,9; --pattern "|8F|"; --within 1,packet; --distance 11,packet; --byte_test 2,>,32768,0,relative; --data_size >300; )
F-SBID( --name "SSL.PCT.Overflow"; --protocol tcp; --flow from_client; --service SSL;--parsed_type SSL_PCT;--pattern "|01|"; --within 1,packet; --distance 2,packet; --byte_test 2,>,1,3; --byte_test 2,<,0x301,3; --byte_test 2,>,0,5; --byte_test 2,!,0,7; --byte_test 2,<,16,7; --byte_test 2,>,16,9; --byte_test 2,<,33,9; --pattern "|8F|"; --within 1,packet; --distance 11,packet; --byte_test 2,>,32768,0,relative; --data_size >300; )
Previous
Next