IPS Signature

Custom IPS Signature

Custom Signature for FortiGate IPS Engine

Custom signature syntax is very sensitive (even for spaces). Don't copy signature from web page.
See them here


DNS Zone Transfer

Signature

F-SBID( --attack_id 3746; --name "DNS.Zone-Transfer"; --default_action drop; --service DNS; --dst_port 53; --flow from_client; --pattern "|00 01 00 00 00 00 00|"; --distance 6,context; --within 10,context; --pattern "|00 00 FC 00 01|" -- distance 2; )

Log

date=2014-08-18 time=14:43:57 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd="root" severity=critical srcip=192.168.1.110 dstip=8.8.8.8 srcintf="internal" dstintf="wan1" policyid=1 identidx=0 sessionid=68739 status=dropped proto=6 service=dns count=1 attackname="DNS.Zone-Transfer" srcport=16078 dstport=53 attackid=3746 sensor="aaaa" ref="http://www.fortinet.com/ids/VID3746" incidentserialno=1026310041 msg="custom: DNS.Zone-Transfer,"

Test

nslookup
> server 8.8.8.8
> set type=any
> ls google.com


Result


SQL Injection

Signature

F-SBID( --name "Web.SQL.Injection"; --default_action drop; --protocol tcp; --service HTTP; --flow from_client; --pcre "/[+]+or[+]+[\d]+=[\d]+/"; )

Search for "or 1=1" and similar. Check regex on http://www.regexr.com/


XSS

Signature

F-SBID( --name "Web.XSS.Script"; --default_action drop; --protocol tcp; --service HTTP; --flow from_client; --pattern "%3Cscript%3E"; )

Search for "< script >" in user input


Web Error Page

Signature

F-SBID( --name "Web.SQL.Syntax.Error"; --default_action drop; --protocol tcp; --service HTTP; --flow from_server; --pattern "execute failed: You have an error in your SQL syntax"; )

User can't see error page with SQL Syntax Error.


Web Directory Browsing

Signature

F-SBID( --name "Web.Directory.Browsing"; --default_action drop; --protocol tcp; --service HTTP; --flow from_server; --pcre "/

Apache[//][\d]+.[\d]+.[\d]+ Server at [\d]+.[\d]+.[\d]+.[\d]+ Port 80<[//]ADDRESS>/"; )

User can't see Index of page


Web Directory Harvesting

Signature

F-SBID( --name "Web.Directory.404.Guessing"; --default_action drop; --protocol tcp; --service HTTP; --flow from_server; --pcre "/< TITLE >404 Not Found<[//]TITLE>/"; --rate 10,60; --track src_ip; )

User can't see 404 page to many times. If server will send 404 page to 1 IP address more than 10 times in 60 seconds - block traffic