Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Custom IPS and Application Control Signature Syntax Guide

    Home IPS Engine 7.4.0 Custom IPS and Application Control Signature Syntax Guide
    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.1.0
    7.0.0
    6.4.0
    6.2.0
    5.2.0
    3.6.0

    data_size

    data_size

    The data_size keyword was originally used to test the TCP/UDP/ICMP payload size of the packet being inspected. It has since been extended to support other size related fields in application protocols.

    Because TCP is stream-based, not packet-based, the sender can intentionally fragment the original packets before they are transmitted to evade detection. For this reason using data_size on TCP packets may not always be reliable.

    Syntax: 
    --data_size [op]<value[,field];

    [op] is not required. The following operators are accepted:

    <op>

    Description

    >

    The data size must be greater than the value specified.

    <

    The data size must be less than the value specified.

    =

    The data size must be equal to the value specified. When [op] is not present, this is the default operator.

    <value> is required. It is a decimal number that specifies the data size.

    [field] is optional. One of the following keywords can be used:

    [field]

    Description

    payload

    The TCP/UDP/ICMP payload size is checked. This is the default setting.

    uri

    The URI length is checked.

    header

    The length of the header is checked.

    body

    The length of the body is checked.

    http_content

    The value of "Content-Length:" in an HTTP header is checked.

    http_chunk

    The chunk length value in the chunk header is checked.

    http_host

    The length of the "HOST:" line in an HTTP header is checked. The length count includes CRLF characters, the field name "HOST:", all white spaces between the field name to the field value, and the field value.

    For example,"HOST: www.example.com\r\n" has a data_size of 25.

    smtp_bdat

    The SMTP data length in a BDAT command is checked.

    smtp_xexch50

    The SMTP data length in an XEXCH50 command is checked.
    Examples:
    --data_size <128;
    --pattern "/admin_/help/"; --context uri; --no_case; --data_size >1024,uri;
    --parsed_type HTTP_POST: --pattern "nsiislog.dll"; -context uri; --no_case: --data_size >1000,http_content;
    Previous
    Next

    data_size

    data_size

    The data_size keyword was originally used to test the TCP/UDP/ICMP payload size of the packet being inspected. It has since been extended to support other size related fields in application protocols.

    Because TCP is stream-based, not packet-based, the sender can intentionally fragment the original packets before they are transmitted to evade detection. For this reason using data_size on TCP packets may not always be reliable.

    Syntax: 
    --data_size [op]<value[,field];

    [op] is not required. The following operators are accepted:

    <op>

    Description

    >

    The data size must be greater than the value specified.

    <

    The data size must be less than the value specified.

    =

    The data size must be equal to the value specified. When [op] is not present, this is the default operator.

    <value> is required. It is a decimal number that specifies the data size.

    [field] is optional. One of the following keywords can be used:

    [field]

    Description

    payload

    The TCP/UDP/ICMP payload size is checked. This is the default setting.

    uri

    The URI length is checked.

    header

    The length of the header is checked.

    body

    The length of the body is checked.

    http_content

    The value of "Content-Length:" in an HTTP header is checked.

    http_chunk

    The chunk length value in the chunk header is checked.

    http_host

    The length of the "HOST:" line in an HTTP header is checked. The length count includes CRLF characters, the field name "HOST:", all white spaces between the field name to the field value, and the field value.

    For example,"HOST: www.example.com\r\n" has a data_size of 25.

    smtp_bdat

    The SMTP data length in a BDAT command is checked.

    smtp_xexch50

    The SMTP data length in an XEXCH50 command is checked.
    Examples:
    --data_size <128;
    --pattern "/admin_/help/"; --context uri; --no_case; --data_size >1024,uri;
    --parsed_type HTTP_POST: --pattern "nsiislog.dll"; -context uri; --no_case: --data_size >1000,http_content;
    Previous
    Next