Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 7.0.0 Custom IPS and Application Control Signature Syntax Guide
7.0.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0

Signature definition notes

Signature definition notes

  • We recommend you use lower case, although keywords in a signature are not case-sensitive.
  • To match patterns using --pattern, you must enclose the pattern in double quotation marks (") and follow it with a semicolon. The special characters (" ; \ | :) must be written as (|22|, |3B| or |3b|, |5C| or |5c|, |7C| or |7c|, |3A| or |3a|). Although you can use backslash (\) to escape any character except a semicolon (;), we do not recommend this.
  • To match patterns using --pcre, you must enclose the pattern in double quotation marks (") and follow it with a semicolon (;). The special characters (" ; /) must be written as (\x22, \x3B or \x3b, \x2F or \x2f). Regular expressions should conform to the Perl Compatible Regular Expression (PCRE) standard. See pcre for syntax details.
  • If some encoded content is always the same, you can make a signature to match the encoded form. This allows for detection of the encoded content, even though the engine does not support decoding.
  • Do not use the no_case option on a non-alphabetic pattern.
  • Do not use the no_case option on case-sensitive patterns.
Previous
Next

Signature definition notes

  • We recommend you use lower case, although keywords in a signature are not case-sensitive.
  • To match patterns using --pattern, you must enclose the pattern in double quotation marks (") and follow it with a semicolon. The special characters (" ; \ | :) must be written as (|22|, |3B| or |3b|, |5C| or |5c|, |7C| or |7c|, |3A| or |3a|). Although you can use backslash (\) to escape any character except a semicolon (;), we do not recommend this.
  • To match patterns using --pcre, you must enclose the pattern in double quotation marks (") and follow it with a semicolon (;). The special characters (" ; /) must be written as (\x22, \x3B or \x3b, \x2F or \x2f). Regular expressions should conform to the Perl Compatible Regular Expression (PCRE) standard. See pcre for syntax details.
  • If some encoded content is always the same, you can make a signature to match the encoded form. This allows for detection of the encoded content, even though the engine does not support decoding.
  • Do not use the no_case option on a non-alphabetic pattern.
  • Do not use the no_case option on case-sensitive patterns.
Previous
Next