Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Custom IPS and Application Control Signature Syntax Guide

    Home IPS Engine 7.0.0 Custom IPS and Application Control Signature Syntax Guide
    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.1.0
    7.0.0
    6.4.0
    6.2.0
    5.2.0
    3.6.0

    distance, distance_abs, within, within_abs

    distance, distance_abs, within, within_abs

    Use these four keywords to specify the range (in bytes) of where the engine will search for a pattern.

    • distance indicates the offset from the last reference point to start searching for a pattern
    • within indicates the range of bytes from the last reference point which the engine should search for a pattern.
    Syntax:
    --distance <range> [,<refer>];
    --distance_abs <range>[,<refer>];
    --within <range>[, <refer>];
    --within_abs <range>[, <refer>];

    The <refer> field is the reference point for the <range>. If it is not included, the default is MATCH.

    <refer>

    Description

    MATCH

    The reference is the last matched pattern. This is the default setting.

    PACKET

    The reference is the beginning of the packet.

    CONTEXT

    The reference is the beginning of the pattern context.

    REVERSE

    Search for the pattern relative to the end of the packet or context. This is only accepted with the --distance option, and the reference must be PACKET or CONTEXT.

    LASTTAG

    The reference is the one set by last PSET.
    Examples:

    Search for the pattern within 50 bytes of the last matched pattern:

    --pattern "/disp_album.php?"; --context uri; --no_case; --within 50,context;
    --pattern "|05 00|"; --distance 0; --pattern "|6e 00|"; --distance 5; --within
2;

    Count 10 bytes back from the end of the packet, then search for the pattern within 5 bytes:

    --pattern "Host: "; --context header; --pattern !"|0a|"; --context header; --
within_abs 80; --distance 10,packet,reverse; --within 5,packet;

    Notes

    • If you use the keywords distance and within with the first pattern of a signature, set the <refer> field to context, as there are no previous matched patterns.
    • The keywords distance and distance_abs indicate the minimum distance from the end of the last reference point to the beginning of the current pattern. The distance is counted from the next character after the last reference point. Both these keywords support negative range value. In this case, distance does not require the designated amount of data before the reference point while distance_abs does. For example, the following signature makes sure no ? character is before the /BBBB pattern in the URI:
      --pattern "/BBBB"; --context uri; --within 200,context; --pattern!"?"; --context uri; --distance 200; --within 200;

      This signature works even if the /BBBB pattern in the URI is not preceded by 200 bytes of data.

    • The keywords within and within_abs require that the whole pattern appear within the given range following the last reference point. If the distance or distance_abs keywords are also present, with the same reference point, the pattern will be matched from the specified distance to the range of bytes specified by the within or within_abs keywords.
    • Use the keywords distance_abs and within_abs only for negative matches (patterns with the ! modifier). They indicate that the buffer following the reference point must be longer than or equal to the value specified by <range>. Compare the following two cases:
      --pattern !"|0a|"; --within 100,match;
      --pattern !"|0a|"; --within_abs 100,match;
    • If the buffer after the previous match is shorter than 100, the first signature is matched. It is not recommended to use distance_abs and within_abs for a positive match because the behavior of these keywords is unreliable. It is better to use the keyword data_at instead.

      For example:

      --pattern "BBBBBB"; --pattern "DDDDDD"; --within_abs 200;
      --pattern "BBBBBB"; --data_at 200,relative; --pattern "DDDDDD";

      These two signatures are equivalent but the second one is recommended for a reliable match. A negative <range> value can be used to specify the range before the reference. Different types and references can be combined as range modifiers.

    Previous
    Next

    distance, distance_abs, within, within_abs

    distance, distance_abs, within, within_abs

    Use these four keywords to specify the range (in bytes) of where the engine will search for a pattern.

    • distance indicates the offset from the last reference point to start searching for a pattern
    • within indicates the range of bytes from the last reference point which the engine should search for a pattern.
    Syntax:
    --distance <range> [,<refer>];
    --distance_abs <range>[,<refer>];
    --within <range>[, <refer>];
    --within_abs <range>[, <refer>];

    The <refer> field is the reference point for the <range>. If it is not included, the default is MATCH.

    <refer>

    Description

    MATCH

    The reference is the last matched pattern. This is the default setting.

    PACKET

    The reference is the beginning of the packet.

    CONTEXT

    The reference is the beginning of the pattern context.

    REVERSE

    Search for the pattern relative to the end of the packet or context. This is only accepted with the --distance option, and the reference must be PACKET or CONTEXT.

    LASTTAG

    The reference is the one set by last PSET.
    Examples:

    Search for the pattern within 50 bytes of the last matched pattern:

    --pattern "/disp_album.php?"; --context uri; --no_case; --within 50,context;
    --pattern "|05 00|"; --distance 0; --pattern "|6e 00|"; --distance 5; --within
2;

    Count 10 bytes back from the end of the packet, then search for the pattern within 5 bytes:

    --pattern "Host: "; --context header; --pattern !"|0a|"; --context header; --
within_abs 80; --distance 10,packet,reverse; --within 5,packet;

    Notes

    • If you use the keywords distance and within with the first pattern of a signature, set the <refer> field to context, as there are no previous matched patterns.
    • The keywords distance and distance_abs indicate the minimum distance from the end of the last reference point to the beginning of the current pattern. The distance is counted from the next character after the last reference point. Both these keywords support negative range value. In this case, distance does not require the designated amount of data before the reference point while distance_abs does. For example, the following signature makes sure no ? character is before the /BBBB pattern in the URI:
      --pattern "/BBBB"; --context uri; --within 200,context; --pattern!"?"; --context uri; --distance 200; --within 200;

      This signature works even if the /BBBB pattern in the URI is not preceded by 200 bytes of data.

    • The keywords within and within_abs require that the whole pattern appear within the given range following the last reference point. If the distance or distance_abs keywords are also present, with the same reference point, the pattern will be matched from the specified distance to the range of bytes specified by the within or within_abs keywords.
    • Use the keywords distance_abs and within_abs only for negative matches (patterns with the ! modifier). They indicate that the buffer following the reference point must be longer than or equal to the value specified by <range>. Compare the following two cases:
      --pattern !"|0a|"; --within 100,match;
      --pattern !"|0a|"; --within_abs 100,match;
    • If the buffer after the previous match is shorter than 100, the first signature is matched. It is not recommended to use distance_abs and within_abs for a positive match because the behavior of these keywords is unreliable. It is better to use the keyword data_at instead.

      For example:

      --pattern "BBBBBB"; --pattern "DDDDDD"; --within_abs 200;
      --pattern "BBBBBB"; --data_at 200,relative; --pattern "DDDDDD";

      These two signatures are equivalent but the second one is recommended for a reliable match. A negative <range> value can be used to specify the range before the reference. Different types and references can be combined as range modifiers.

    Previous
    Next