Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Custom IPS and Application Control Signature Syntax Guide

    Home IPS Engine 7.4.0 Custom IPS and Application Control Signature Syntax Guide
    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.1.0
    7.0.0
    6.4.0
    6.2.0
    5.2.0
    3.6.0

    byte_jump, byte_test

    byte_jump, byte_test

    Use the byte_jump keyword to move the reference point. The distance to be skipped is calculated from the value of bytes at a specified offset.

    Use the byte_test keyword to compare the value of bytes at the specified offset with a given value. The keyword does not move the reference point.

    If the data to be processed or skipped is beyond the end of the packet, the option is considered unmatched.

    Syntax:
    --byte_jump <”|bytes>,<offset|variable>[,<multiplier>[,modifiers]];
    --byte_test <”|bytes>,<op>,<value>,<offset>[,<multiplier>[,modifiers]];

    <field>

    Description

    *|bytes

    Specifies the number of bytes from the payload to be converted. The value to be converted can be an ASCII string or binary.

    If the value is in binary, select between 1,2, or 4 bytes to be converted.

    If the value is an ASCII string, use the string modifier. For a fixed length ASCII field, specify the field's length. If it is a variable length ASCII field, use *, which will convert all bytes from the offset until the first nondigit character in the chosen base has been detected.

    op

    Defines the operator used to compare the value converted from the packet with the value specified. The following operators are accepted:

    >

    The value converted must be greater than the value specified.

    <

    The value converted must be less than the value specified.

    =

    The value converted must be equal to the value specified.

    !

    The value converted must be not equal to the value specified.

    &

    The value converted AND the value specified must be not equal to zero.

    ~

    The value converted AND the value specified must be equal to zero.

    ^

    The value converted XOR the value specified must be not equal to zero.

    value

    This is only used to match content in the URI field of an HTTP request.

    Specifies the value to be compared. A hexadecimal number can be specified with the prefix 0x.

    This also accepts variables and arithmetic operations (+ * /).

    The following predefined variable is accepted:

    $PKT_SIZE: the data will be compared with the packet size

    offset

    Specifies the starting point where the content should be converted in the payload. Negative offsets are accepted. See the relative modifier for more details.

    multiplier

    Optional. It must be a numerical value when present. The converted value multiplied by this number is the result to be compared or skipped.

    modifiers

    Accepts a combination (separated by commas) of the following values:

    relative

    Indicates that the offset should start from the last match point. Without it, the offset starts from the beginning of the packet.

    big

    Indicates that the data to be converted is in big endian (default).

    little

    Indicates that the data to be converted is in little endian.

    string

    Indicates that the data to be converted is a string.

    hex

    Indicates that the data to be converted is in hexadecimal.

    dec

    Indicates that the data to be converted is in decimal.

    oct

    Indicates that the data to be converted is in octal.

    align

    Rounds the number of converted bytes up to the next 32bit boundary, only used with byte_jump.
    Examples:
    --byte_jump 4,0,relative;
    --byte_test 4,>,3536,0,relative;
    --byte_jump 4,20,relative,align;
    --byte_jump 4,0,4,relative,little;
    --byte_test 4,>,0x7FFF,4,relative;
    --byte_ttest 4,>,$PKT_SIZE,4,relative;
    --byte_test 4,>,$PKT_SIZE,4,2,relative;
    Previous
    Next

    byte_jump, byte_test

    byte_jump, byte_test

    Use the byte_jump keyword to move the reference point. The distance to be skipped is calculated from the value of bytes at a specified offset.

    Use the byte_test keyword to compare the value of bytes at the specified offset with a given value. The keyword does not move the reference point.

    If the data to be processed or skipped is beyond the end of the packet, the option is considered unmatched.

    Syntax:
    --byte_jump <”|bytes>,<offset|variable>[,<multiplier>[,modifiers]];
    --byte_test <”|bytes>,<op>,<value>,<offset>[,<multiplier>[,modifiers]];

    <field>

    Description

    *|bytes

    Specifies the number of bytes from the payload to be converted. The value to be converted can be an ASCII string or binary.

    If the value is in binary, select between 1,2, or 4 bytes to be converted.

    If the value is an ASCII string, use the string modifier. For a fixed length ASCII field, specify the field's length. If it is a variable length ASCII field, use *, which will convert all bytes from the offset until the first nondigit character in the chosen base has been detected.

    op

    Defines the operator used to compare the value converted from the packet with the value specified. The following operators are accepted:

    >

    The value converted must be greater than the value specified.

    <

    The value converted must be less than the value specified.

    =

    The value converted must be equal to the value specified.

    !

    The value converted must be not equal to the value specified.

    &

    The value converted AND the value specified must be not equal to zero.

    ~

    The value converted AND the value specified must be equal to zero.

    ^

    The value converted XOR the value specified must be not equal to zero.

    value

    This is only used to match content in the URI field of an HTTP request.

    Specifies the value to be compared. A hexadecimal number can be specified with the prefix 0x.

    This also accepts variables and arithmetic operations (+ * /).

    The following predefined variable is accepted:

    $PKT_SIZE: the data will be compared with the packet size

    offset

    Specifies the starting point where the content should be converted in the payload. Negative offsets are accepted. See the relative modifier for more details.

    multiplier

    Optional. It must be a numerical value when present. The converted value multiplied by this number is the result to be compared or skipped.

    modifiers

    Accepts a combination (separated by commas) of the following values:

    relative

    Indicates that the offset should start from the last match point. Without it, the offset starts from the beginning of the packet.

    big

    Indicates that the data to be converted is in big endian (default).

    little

    Indicates that the data to be converted is in little endian.

    string

    Indicates that the data to be converted is a string.

    hex

    Indicates that the data to be converted is in hexadecimal.

    dec

    Indicates that the data to be converted is in decimal.

    oct

    Indicates that the data to be converted is in octal.

    align

    Rounds the number of converted bytes up to the next 32bit boundary, only used with byte_jump.
    Examples:
    --byte_jump 4,0,relative;
    --byte_test 4,>,3536,0,relative;
    --byte_jump 4,20,relative,align;
    --byte_jump 4,0,4,relative,little;
    --byte_test 4,>,0x7FFF,4,relative;
    --byte_ttest 4,>,$PKT_SIZE,4,relative;
    --byte_test 4,>,$PKT_SIZE,4,2,relative;
    Previous
    Next