Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Custom IPS and Application Control Signature Syntax Guide

    Home IPS Engine 7.2.0 Custom IPS and Application Control Signature Syntax Guide
    7.2.0
    7.6.0
    7.4.0
    7.2.0
    7.1.0
    7.0.0
    6.4.0
    6.2.0
    5.2.0
    3.6.0

    tag

    tag

    Use this keyword in a signature to mark a session with a named tag, or to check whether a tag has been set for a session.

    Pattern matching with IPS signatures is essentially packet-based. The tag keyword is mainly used when attack patterns appear in more than one packet or in different directions. A signature that matches an earlier packet in an attack can mark the session with a named tag, and the existence of the tag can be tested when ensuing packets in the same session are scanned.

    The matching algorithm guarantees the order in which signatures are scanned. The signatures are sorted based on their tag dependencies. During packet inspection, the signatures are matched in this order, so that signatures that depend on other signatures are always scanned later in the process.

    Syntax:
    --tag <op>, [!}<name>[,timer,tuple[,all_sessions]];

    <name> indicates the name of a tag.

    [!] is only allowed in test operations. It returns true if the tag does not exist.

    The <op> value determines which operation is performed.

    <op>

    Description

    set

    Mark the session with a named tag.

    pset

    Mark the session with a named tag and remember the last reference point. This reference point can be referred by using lasttag for keywords distance, within, distance_abs, and within_abs.

    clear

    Remove the specified tag from the session.

    toggle

    Toggle the specified tag (set <=> clear) in the session.

    test

    Test the existence of the specified tag. Add ! if the signature is to test the nonexistence of the specified tag.

    reset

    Clear all tags from the session.

    quiet

    Suppress logging when the signature is matched and ignores the signature’s action. QUIET is normally included in the signature that SET the tag. Signatures with --tag set; should also have --tag quiet and --status hidden;.

    cset

    Set a cross session tag. Modifier timer, tuple and all_sessions are valid only when the op is cset. These modifiers altogether define which session should be marked with the named tag.

    timer

    The tag will be automatically removed after given seconds. If it equals 0 the specified tag will be removed immediately.

    tuple

    Accepts a combination (separated by ",") of src_ip, dst_ip, src_port, dst_port, and protocol. To reduce the performance impact, it only accepts following combinations:

    src_ip

    dst_ip

    src_ip,dst_ip

    src_ip,dst_ip,dst_port

    src_ip,dst_ip,dst_port,protocol

    src_ip,dst_ip,protocol

    src_ip,protocol

    src_ip,src_port

    src_ip,src_port,protocol

    dst_ip,dst_port

    dst_ip,protocol

    Dst_ip,dst_port,protocol

    all_sessions

    Copy the tag into both existing and new sessions. Without this, engine only copies the tag to the new sessions to reduce the performance impact.
    Note

    The name of a tag should only contain printable characters. It should not contain spaces, commas, exclamation marks, or semicolons.

    By default, a newly-created tag is in the un-set state.

    Patterns in tag set and tag test signatures can appear in the same packet together.
    Examples:
    --tag set,Tag.Rsync.Argument;
    --tag clear,tag.login;
    --tag test,Tag.Rsync.Argument;
    --tag test, !DHTML.EDIT.CONTROL.CLSID;
    Previous
    Next

    tag

    tag

    Use this keyword in a signature to mark a session with a named tag, or to check whether a tag has been set for a session.

    Pattern matching with IPS signatures is essentially packet-based. The tag keyword is mainly used when attack patterns appear in more than one packet or in different directions. A signature that matches an earlier packet in an attack can mark the session with a named tag, and the existence of the tag can be tested when ensuing packets in the same session are scanned.

    The matching algorithm guarantees the order in which signatures are scanned. The signatures are sorted based on their tag dependencies. During packet inspection, the signatures are matched in this order, so that signatures that depend on other signatures are always scanned later in the process.

    Syntax:
    --tag <op>, [!}<name>[,timer,tuple[,all_sessions]];

    <name> indicates the name of a tag.

    [!] is only allowed in test operations. It returns true if the tag does not exist.

    The <op> value determines which operation is performed.

    <op>

    Description

    set

    Mark the session with a named tag.

    pset

    Mark the session with a named tag and remember the last reference point. This reference point can be referred by using lasttag for keywords distance, within, distance_abs, and within_abs.

    clear

    Remove the specified tag from the session.

    toggle

    Toggle the specified tag (set <=> clear) in the session.

    test

    Test the existence of the specified tag. Add ! if the signature is to test the nonexistence of the specified tag.

    reset

    Clear all tags from the session.

    quiet

    Suppress logging when the signature is matched and ignores the signature’s action. QUIET is normally included in the signature that SET the tag. Signatures with --tag set; should also have --tag quiet and --status hidden;.

    cset

    Set a cross session tag. Modifier timer, tuple and all_sessions are valid only when the op is cset. These modifiers altogether define which session should be marked with the named tag.

    timer

    The tag will be automatically removed after given seconds. If it equals 0 the specified tag will be removed immediately.

    tuple

    Accepts a combination (separated by ",") of src_ip, dst_ip, src_port, dst_port, and protocol. To reduce the performance impact, it only accepts following combinations:

    src_ip

    dst_ip

    src_ip,dst_ip

    src_ip,dst_ip,dst_port

    src_ip,dst_ip,dst_port,protocol

    src_ip,dst_ip,protocol

    src_ip,protocol

    src_ip,src_port

    src_ip,src_port,protocol

    dst_ip,dst_port

    dst_ip,protocol

    Dst_ip,dst_port,protocol

    all_sessions

    Copy the tag into both existing and new sessions. Without this, engine only copies the tag to the new sessions to reduce the performance impact.
    Note

    The name of a tag should only contain printable characters. It should not contain spaces, commas, exclamation marks, or semicolons.

    By default, a newly-created tag is in the un-set state.

    Patterns in tag set and tag test signatures can appear in the same packet together.
    Examples:
    --tag set,Tag.Rsync.Argument;
    --tag clear,tag.login;
    --tag test,Tag.Rsync.Argument;
    --tag test, !DHTML.EDIT.CONTROL.CLSID;
    Previous
    Next