Fortinet black logo

Custom IPS and Application Control Signature Syntax Guide

Home IPS Engine 7.2.0 Custom IPS and Application Control Signature Syntax Guide
7.2.0
7.4.0
7.2.0
7.1.0
7.0.0
6.4.0
6.2.0
5.2.0
3.6.0

parsed_type

parsed_type

Use the parsed_type keyword to match a packet or session attribute that can be identified by the dissectors. A signature can have more than one --parsed_type keyword.

Syntax:
--parsed_type <type>;

<type>

Description

SSL_PCT

SSL_V2

SSL_V3

TLS_V1

TLS_V2

These types are used to identify the SSL and TLS versions.

SOCK4

SOCK5

These match sessions using the SOCKS 4 or SOCKS 5 proxy protocols.

HTTP_GET

The HTTP request method to be matched is GET. This is valid for the lifetime of the request.

In most cases, a signature using --parsed_type, similar to the one below:

--service HTTP; --parsed_type HTTP_GET;

can replace a pattern-based signature like this:

--service HTTP; --pattern "GET|20|" context uri; --within 4,context;

HTTP_POST

The HTTP request method to be matched is POST. This if valid for the lifetime of the request.

HTTP_CHUNKED

The Transfer-Encoding type of the HTTP request to be matched is chunked. This is valid for the lifetime of the request.

In most cases, a signature using the parsed_type keyword, similar to the one below:

--parsed_type HTTP_CHUNKED;

can replace one that looks for strings, like this: 

--service HTTP; --pattern "TransferEncoding"; --context header; --no_case; --pattern "chunked"; --context header; --no_case; --distance 1;
Examples:
--parsed_type HTTP_POST;
--parsed_type HTTP_GET;
Previous
Next

parsed_type

Use the parsed_type keyword to match a packet or session attribute that can be identified by the dissectors. A signature can have more than one --parsed_type keyword.

Syntax:
--parsed_type <type>;

<type>

Description

SSL_PCT

SSL_V2

SSL_V3

TLS_V1

TLS_V2

These types are used to identify the SSL and TLS versions.

SOCK4

SOCK5

These match sessions using the SOCKS 4 or SOCKS 5 proxy protocols.

HTTP_GET

The HTTP request method to be matched is GET. This is valid for the lifetime of the request.

In most cases, a signature using --parsed_type, similar to the one below:

--service HTTP; --parsed_type HTTP_GET;

can replace a pattern-based signature like this:

--service HTTP; --pattern "GET|20|" context uri; --within 4,context;

HTTP_POST

The HTTP request method to be matched is POST. This if valid for the lifetime of the request.

HTTP_CHUNKED

The Transfer-Encoding type of the HTTP request to be matched is chunked. This is valid for the lifetime of the request.

In most cases, a signature using the parsed_type keyword, similar to the one below:

--parsed_type HTTP_CHUNKED;

can replace one that looks for strings, like this: 

--service HTTP; --pattern "TransferEncoding"; --context header; --no_case; --pattern "chunked"; --context header; --no_case; --distance 1;
Examples:
--parsed_type HTTP_POST;
--parsed_type HTTP_GET;
Previous
Next