Fortinet Network Device IPS User Manual

Custom signatures

Creating custom signatures

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916

25

Table 4: Content keywords

Keyword and value

Description

--byte_jump
,
[, relative]
[, big] [, little]
[, string] [, hex]
[, dec] [, oct]
[, align];

Use the byte_jump option to extract a number of

bytes from a packet, convert them to their numeric

representation, and jump the match reference up that

many bytes (for further pattern matching or byte

testing). This keyword allows relative pattern matches

to take into account numerical values found in network

data.
The available keyword options include:
•

: The number of bytes to
examine from the packet.

•

: The number of bytes into the payload to
start processing.

•

relative: Use an offset relative to last pattern
match.

•

big: Process the data as big endian (default).

•

little: Process the data as little endian.

•

string: The data is a string in the packet.

•

hex: The converted string data is represented in
hexadecimal notation.

•

dec: The converted string data is represented in
decimal notation.

•

oct: The converted string data is represented in
octal notation.

•

align: Round up the number of converted bytes to
the next 32-bit boundary.