Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Custom IPS and Application Control Signature Syntax Guide

    Home IPS Engine 3.6.0 Custom IPS and Application Control Signature Syntax Guide
    3.6.0
    7.6.0
    7.4.0
    7.2.0
    7.1.0
    7.0.0
    6.4.0
    6.2.0
    5.2.0
    3.6.0

    rate, track

    rate, track

    These two keywords make it possible to tell the IPS engine that instead of triggering a signature every time it is matched, it should only trigger if the signature is matched a given number of times within a specified time period. This feature can be used in reporting slow port scans, brute-force login attempts, and similar behavior.

    For a regular signature, the IPS engine first compares all of the keyword options other than rate and track. If all the options are matched, IPS checks whether rate is specified for the signature. If it is not, IPS triggers the signature. If it is, IPS increases the counter and updates the timestamp, and checks whether the trigger rate has been reached.

    Syntax:
    --rate <count>,<duration>[,<limit>];

    field

    Description

    <count>

    The number of matches that must be seen before a log entry is generated.

    <duration>

    The time period over which matches are counted, in seconds.

    [limit]

    This improves the accuracy of the matched packet count by counting in strict time rather than averaging over a period of time.

    For example, --rate 400,1,limit;

    		 
    --track <keyword>;

    <keyword> specifies the packet property to track. The following case insensitive keywords are accepted:

    <keyword>

    Description

    src_ip

    Track the packet's source IP address.

    dst_ip

    Track the packet's destination IP address.

    dhcp_client

    Track the DHCP client's MAC address.

    dns_domain

    Track the domain name in the DNS query record.

    dns_domain_and_ip

    Track the DNS response with same domain name and IP address.
    Notes
    • If --track is specified, only matched packets which have the same specified keyword tracked are added to the counter.
    • If --rate is used without --track, all matched packets are added to the counter and the signature is reported once the threshold is reached.
    • IPS counts the average number of packets over a period of time. This might allow some extra packets to go through. Therefore, to ensure accuracy, the limit keyword was added to allow counting to be done in a strict time. When limit is enabled the packet count is more accurate.
    Example:
    F-SBID( --name DHCP.FLOOD; --protocol UDP; --service DHCP; --dhcp_type 1; --rate 100,10; --track DHCP_CLIENT; )

    This signature indicates that if IPS sees DHCP discover requests (--dhcp_type 1;) more than 100 times within 10 seconds (--rate 100,10;) from the same DHCP client (--track dhcp_client;), then an alert is generated.

    Previous
    Next

    rate, track

    rate, track

    These two keywords make it possible to tell the IPS engine that instead of triggering a signature every time it is matched, it should only trigger if the signature is matched a given number of times within a specified time period. This feature can be used in reporting slow port scans, brute-force login attempts, and similar behavior.

    For a regular signature, the IPS engine first compares all of the keyword options other than rate and track. If all the options are matched, IPS checks whether rate is specified for the signature. If it is not, IPS triggers the signature. If it is, IPS increases the counter and updates the timestamp, and checks whether the trigger rate has been reached.

    Syntax:
    --rate <count>,<duration>[,<limit>];

    field

    Description

    <count>

    The number of matches that must be seen before a log entry is generated.

    <duration>

    The time period over which matches are counted, in seconds.

    [limit]

    This improves the accuracy of the matched packet count by counting in strict time rather than averaging over a period of time.

    For example, --rate 400,1,limit;

    		 
    --track <keyword>;

    <keyword> specifies the packet property to track. The following case insensitive keywords are accepted:

    <keyword>

    Description

    src_ip

    Track the packet's source IP address.

    dst_ip

    Track the packet's destination IP address.

    dhcp_client

    Track the DHCP client's MAC address.

    dns_domain

    Track the domain name in the DNS query record.

    dns_domain_and_ip

    Track the DNS response with same domain name and IP address.
    Notes
    • If --track is specified, only matched packets which have the same specified keyword tracked are added to the counter.
    • If --rate is used without --track, all matched packets are added to the counter and the signature is reported once the threshold is reached.
    • IPS counts the average number of packets over a period of time. This might allow some extra packets to go through. Therefore, to ensure accuracy, the limit keyword was added to allow counting to be done in a strict time. When limit is enabled the packet count is more accurate.
    Example:
    F-SBID( --name DHCP.FLOOD; --protocol UDP; --service DHCP; --dhcp_type 1; --rate 100,10; --track DHCP_CLIENT; )

    This signature indicates that if IPS sees DHCP discover requests (--dhcp_type 1;) more than 100 times within 10 seconds (--rate 100,10;) from the same DHCP client (--track dhcp_client;), then an alert is generated.

    Previous
    Next