beautypg.com

Fortinet Network Device IPS User Manual

Page 28

background image

FortiGate IPS User Guide Version 3.0 MR7

28

01-30007-0080-20080916

Creating custom signatures

Custom signatures

--pcre
[!]"(//|m<
regex>)[ismxAEGRU
B]";

Similar to the pattern keyword, pcre is used to

specify a pattern using Perl-compatible regular

expressions (PCRE). A pcre keyword can be followed

by a context keyword to define where to look for the

pattern in the packet. If no context keyword is

present, the FortiGate unit looks for the pattern

anywhere in the packet buffer.
For more information about PCRE syntax, go to

http://www.pcre.org

.

The switches include:

i: Case insensitive.

s: Include newlines in the dot metacharacter.

m: By default, the string is treated as one big line of
characters. ^ and $ match at the beginning and
ending of the string. When m is set, ^ and $ match
immediately following or immediately before any
newline in the buffer, as well as the very start and
very end of the buffer.

x: White space data characters in the pattern are
ignored except when escaped or inside a character
class.

A: The pattern must match only at the start of the
buffer (same as ^ ).

E: Set $ to match only at the end of the subject
string. Without E, $ also matches immediately
before the final character if it is a newline (but not
before any other newlines).

G: Invert the "greediness" of the quantifiers so that
they are not greedy by default, but become greedy if
followed by ?.

R: Match relative to the end of the last pattern
match. (Similar to distance:0;).

U: Deprecated, see the context keyword. Match
the decoded URI buffers.

--uri [!]"";

Deprecated, see pattern and context keywords.
The FortiGate unit will search for the URI in the packet

payload. The URI must be enclosed in double quotes.
To have the FortiGate search for a packet that does not

contain the specified URI, add an exclamation mark (!)

before the URI.
Multiple content items can be specified in one rule. The

value can contain mixed text and binary data. The

binary data is generally enclosed within the pipe (|)

character.
The double quote ("), pipe sign(|) and colon(:)

characters must be escaped using a back slash if

specified in a URI string.

--within ;

When used with the distance keyword, the FortiGate

unit searches for the contents within the specified

number of bytes of the payload.
The within value must be between 0 and 65535.

Table 4: Content keywords (Continued)

Keyword and value

Description

See also other documents in the category Fortinet Hardware: