service
Use the service
keyword to specify the session type associated with a packet. In order for this keyword to work, the session that is being identified should be supported by a suitable dissector. To see a list of services currently supported by the IPS engine dissectors, refer to the table, Supported service types.
To detect packets that belong to a service supported by IPS engine, you must include --service <service_name>;
in the custom signature. For details, see IPS engine service logic.
Syntax:
--service <service_name>;
Examples:
--service HTTP;
--service DNS;
Supported service types
Session Type |
Criterion |
Service Option |
---|---|---|
Back_office (bo, bo2k) |
TCP/UDP, any port |
service BO |
DCE RPC |
TCP/UDP, any port |
service DCERPC |
DHCP |
UDP, any port |
service DHCP |
DNP3 |
TCP, any port |
service DNP3 |
DNS |
TCP/UDP, 53 |
service DNS |
FTP |
TCP, any port |
service FTP |
H323 |
TCP, 1720 |
service H323 |
HTTP |
TCP, any port |
service HTTP |
IM (yahoo, msn, aim, qq) |
TCP/UDP, any port |
service IM |
IMAP |
TCP, any port |
service IMAP |
LDAP |
TCP, 389 |
service LDAP |
MSSQL |
TCP, 1433 |
service MSSQL |
NBSS |
TCP, 139, 445 |
service NBSS |
NNTP |
TCP, any port |
service NNTP |
P2P (skype, BT, eDonkey, kazaz, gnutella, dc++) |
TCP/UDP, any port |
service P2P |
POP3 |
TCP, any port |
service POP3 |
RADIUS |
UDP, 1812, 1813 |
service RADIUS |
RDT |
TCP, any port, by RTSP |
service RDT |
RTCP |
TCP, any port, by RTSP |
service RTCP |
RTP |
TCP, any port, by RTSP |
service RTP |
RTSP |
TCP, any port |
service RTSP |
SCCP (skinny) |
TCP, 2000 |
service SCCP |
SIP |
TCP/UDP any port |
service SIP |
SMTP |
TCP, any port |
service SMTP |
SNMP |
UDP, 161, 162 |
service SNMP |
SSH |
TCP, any port |
service SSH |
SSL |
TCP, any port |
service SSL |
SUN |
RPC TCP/UDP, 111, 32771 |
service RPC |
TELNET |
TCP, 23 service |
TELNET |
TFN |
ICMP, any port |
service TFN |
IPS engine service logic
- You can only use the
service
keyword once in a signature. - The Fortinet IPS engine marks traffic based on packet content instead of port mapping. You can use the
service
keyword to scan traffic not running on a standard service port. - If a packet is marked by a protocol dissector as some type of service, for example HTTP, it will only be inspected by signatures in the HTTP service tree. Consequently, if a signature uses
--dst_port 80
instead of--service HTTP
, it will not be matched. You must ensure that all signatures detecting traffic with an implemented service type have theservice
keyword. - If a signature has the
service
keyword, it will be added to the corresponding service tree. A signature's service tree assignment determines which packets it will scan. IPS has multiple service trees (HTTP
,SMTP
,POP3
,DNS
, etc.) and oneunknown_service
tree. - If a signature has no
service
keyword, but it has aport
keyword, it will be added into theunknown_service
tree. - Custom signatures where the service type is
unknown_service
are added to all service trees. - If a signature has neither a
service
keyword nor aport
keyword, it is a generic signature, and will be added to all service trees including theunknown_service
tree.