service

Copy Link

Copy Doc ID f21167b4-200c-11e9-b6f6-f8bc1258b856:748610

Download PDF

service

Use the service keyword to specify the session type associated with a packet. In order for this keyword to work, the session that is being identified should be supported by a suitable dissector. To see a list of services currently supported by the IPS engine dissectors, refer to the table, Supported service types.

To detect packets that belong to a service supported by IPS engine, you must include --service <service_name>; in the custom signature. For details, see IPS engine service logic.

Syntax:

--service <service_name>;

Examples:

--service HTTP;

--service DNS;

Supported service types

Session Type	Criterion	Service Option
Back_office (bo, bo2k)	TCP/UDP, any port	service BO
DCE RPC	TCP/UDP, any port	service DCERPC
DHCP	UDP, any port	service DHCP
DNP3	TCP, any port	service DNP3
DNS	TCP/UDP, 53	service DNS
FTP	TCP, any port	service FTP
H323	TCP, 1720	service H323
HTTP	TCP, any port	service HTTP
IM (yahoo, msn, aim, qq)	TCP/UDP, any port	service IM
IMAP	TCP, any port	service IMAP
LDAP	TCP, 389	service LDAP
MSSQL	TCP, 1433	service MSSQL
NBSS	TCP, 139, 445	service NBSS
NNTP	TCP, any port	service NNTP
P2P (skype, BT, eDonkey, kazaz, gnutella, dc++)	TCP/UDP, any port	service P2P
POP3	TCP, any port	service POP3
RADIUS	UDP, 1812, 1813	service RADIUS
RDT	TCP, any port, by RTSP	service RDT
RTCP	TCP, any port, by RTSP	service RTCP
RTP	TCP, any port, by RTSP	service RTP
RTSP	TCP, any port	service RTSP
SCCP (skinny)	TCP, 2000	service SCCP
SIP	TCP/UDP any port	service SIP
SMTP	TCP, any port	service SMTP
SNMP	UDP, 161, 162	service SNMP
SSH	TCP, any port	service SSH
SSL	TCP, any port	service SSL
SUN	RPC TCP/UDP, 111, 32771	service RPC
TELNET	TCP, 23 service	TELNET
TFN	ICMP, any port	service TFN

IPS engine service logic

You can only use the service keyword once in a signature.
The Fortinet IPS engine marks traffic based on packet content instead of port mapping. You can use the service keyword to scan traffic not running on a standard service port.
If a packet is marked by a protocol dissector as some type of service, for example HTTP, it will only be inspected by signatures in the HTTP service tree. Consequently, if a signature uses --dst_port 80 instead of --service HTTP, it will not be matched. You must ensure that all signatures detecting traffic with an implemented service type have the service keyword.
If a signature has the service keyword, it will be added to the corresponding service tree. A signature's service tree assignment determines which packets it will scan. IPS has multiple service trees (HTTP, SMTP, POP3, DNS, etc.) and one unknown_service tree.
If a signature has no service keyword, but it has a port keyword, it will be added into the unknown_service tree.
Custom signatures where the service type is unknown_service are added to all service trees.
If a signature has neither a service keyword nor a port keyword, it is a generic signature, and will be added to all service trees including the unknown_service tree.

service

To detect packets that belong to a service supported by IPS engine, you must include --service <service_name>; in the custom signature. For details, see IPS engine service logic.

Syntax:

--service <service_name>;

Examples:

--service HTTP;

--service DNS;

Supported service types

Session Type

Criterion

Service Option

Back_office (bo, bo2k)

TCP/UDP, any port

service BO

DCE RPC

TCP/UDP, any port

service DCERPC

DHCP

UDP, any port

service DHCP

DNP3

TCP, any port

service DNP3

DNS

TCP/UDP, 53

service DNS

FTP

TCP, any port

service FTP

H323

TCP, 1720

service H323

HTTP

TCP, any port

service HTTP

IM (yahoo, msn, aim, qq)

TCP/UDP, any port

service IM

IMAP

TCP, any port

service IMAP

LDAP

TCP, 389

service LDAP

MSSQL

TCP, 1433

service MSSQL

NBSS

TCP, 139, 445

service NBSS

NNTP

TCP, any port

service NNTP

P2P (skype, BT, eDonkey, kazaz, gnutella, dc++)

TCP/UDP, any port

service P2P

POP3

TCP, any port

service POP3

RADIUS

UDP, 1812, 1813

service RADIUS

RDT

TCP, any port, by RTSP

service RDT

RTCP

TCP, any port, by RTSP

service RTCP

RTP

TCP, any port, by RTSP

service RTP

RTSP

TCP, any port

service RTSP

SCCP (skinny)

TCP, 2000

service SCCP

SIP

TCP/UDP any port

service SIP

SMTP

TCP, any port

service SMTP

SNMP

UDP, 161, 162

service SNMP

SSH

TCP, any port

service SSH

SSL

TCP, any port

service SSL

SUN

RPC TCP/UDP, 111, 32771

service RPC

TELNET

TCP, 23 service

TELNET

TFN

ICMP, any port

service TFN

IPS engine service logic

You can only use the service keyword once in a signature.

The Fortinet IPS engine marks traffic based on packet content instead of port mapping. You can use the service keyword to scan traffic not running on a standard service port.

If a packet is marked by a protocol dissector as some type of service, for example HTTP, it will only be inspected by signatures in the HTTP service tree. Consequently, if a signature uses --dst_port 80 instead of --service HTTP, it will not be matched. You must ensure that all signatures detecting traffic with an implemented service type have the service keyword.

If a signature has the service keyword, it will be added to the corresponding service tree. A signature's service tree assignment determines which packets it will scan. IPS has multiple service trees (HTTP, SMTP, POP3, DNS, etc.) and one unknown_service tree.

If a signature has no service keyword, but it has a port keyword, it will be added into the unknown_service tree.

Custom signatures where the service type is unknown_service are added to all service trees.

If a signature has neither a service keyword nor a port keyword, it is a generic signature, and will be added to all service trees including the unknown_service tree.

Custom IPS and Application Control Signature Syntax Guide

service

service

Syntax:

Examples:

Supported service types

IPS engine service logic

service

Syntax:

Examples:

Supported service types

IPS engine service logic