Creating IPS and application control signatures
IPS and application control signatures allow you to identify packet types as they pass through your FortiGate. After you create a signature that identifies a certain packet type, you add the signature to an IPS or application control sensor. Within the sensor you specify the action to apply to packets that match the signature: block, monitor, allow, or quarantine. You then add the sensor to a firewall policy. When the firewall policy accepts a packet that matches your custom signature, the FortiGate takes the specified action with the packet.
IPS signatures employ a lightweight signature definition language to identify packets. All signatures include a type header (F-SBID) and a series of option/value pairs. You use the option/value pairs to uniquely identify a packet. Each option starts with -- followed by the option name, a space, and usually an option value. Option names are case-insensitive and some options do not need a value. Custom signatures can be up to 4 095 characters long.
Custom signature syntax:
F-SBID( --<option1> [<value1>]; --<option2> [<value2>];...)
IPS signatures include the following option types:
- Protocol: options to inspect IP/ICMP/UDP/TCP protocol headers for the value paired with the option.
- Payload: options to inspect the packet payload for the value paired with the option.
- Special: options to inspect other aspects (such as application control) of the packet for the value paired with the option.
- Application options: options to inspect other aspects unique to application control for the value paired with the option.