Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 3.6.0 Custom IPS and Application Control Signature Syntax Guide
3.6.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0

data_size

data_size

The data_size keyword was originally used to test the TCP/UDP/ICMP payload size of the packet being inspected. It has since been extended to support other size related fields in application protocols.

Because TCP is stream-based, not packet-based, the sender can intentionally fragment the original packets before they are transmitted to evade detection. For this reason using data_size on TCP packets may not always be reliable.

Syntax: 
--data_size [op]<value[,field];

[op] is not required. The following operators are accepted:

<op>

Description

>

The data size must be greater than the value specified.

<

The data size must be less than the value specified.

=

The data size must be equal to the value specified. When [op] is not present, this is the default operator.

<value> is required. It is a decimal number that specifies the data size.

[field] is optional. One of the following keywords can be used:

[field]

Description

payload

The TCP/UDP/ICMP payload size is checked. This is the default setting.

uri

The URI length is checked.

header

The length of the header is checked.

body

The length of the body is checked.

http_content

The value of "Content-Length:" in an HTTP header is checked.

http_chunk

The chunk length value in the chunk header is checked.

http_host

The length of the "HOST:" line in an HTTP header is checked. The length count includes CRLF characters, the field name "HOST:", all white spaces between the field name to the field value, and the field value.

For example,"HOST: www.example.com\r\n" has a data_size of 25.

smtp_bdat

The SMTP data length in a BDAT command is checked.

smtp_xexch50

The SMTP data length in an XEXCH50 command is checked.
Examples:
--data_size <128;
--pattern "/admin_/help/"; --context uri; --no_case; --data_size >1024,uri;
--parsed_type HTTP_POST: --pattern "nsiislog.dll"; -context uri; --no_case: --data_size >1000,http_content;
Previous
Next

data_size

The data_size keyword was originally used to test the TCP/UDP/ICMP payload size of the packet being inspected. It has since been extended to support other size related fields in application protocols.

Because TCP is stream-based, not packet-based, the sender can intentionally fragment the original packets before they are transmitted to evade detection. For this reason using data_size on TCP packets may not always be reliable.

Syntax: 
--data_size [op]<value[,field];

[op] is not required. The following operators are accepted:

<op>

Description

>

The data size must be greater than the value specified.

<

The data size must be less than the value specified.

=

The data size must be equal to the value specified. When [op] is not present, this is the default operator.

<value> is required. It is a decimal number that specifies the data size.

[field] is optional. One of the following keywords can be used:

[field]

Description

payload

The TCP/UDP/ICMP payload size is checked. This is the default setting.

uri

The URI length is checked.

header

The length of the header is checked.

body

The length of the body is checked.

http_content

The value of "Content-Length:" in an HTTP header is checked.

http_chunk

The chunk length value in the chunk header is checked.

http_host

The length of the "HOST:" line in an HTTP header is checked. The length count includes CRLF characters, the field name "HOST:", all white spaces between the field name to the field value, and the field value.

For example,"HOST: www.example.com\r\n" has a data_size of 25.

smtp_bdat

The SMTP data length in a BDAT command is checked.

smtp_xexch50

The SMTP data length in an XEXCH50 command is checked.
Examples:
--data_size <128;
--pattern "/admin_/help/"; --context uri; --no_case; --data_size >1024,uri;
--parsed_type HTTP_POST: --pattern "nsiislog.dll"; -context uri; --no_case: --data_size >1000,http_content;
Previous
Next