SYN Flood Attacks
A SYN flood is a type of Denial of Service (DoS) attack. DoS is a class of attacks in which an attacker attempts to prevent legitimate users from accessing an internet service, such as a web server. SYN floods are a type of DoS attack in which an
attacker attempts to disable an Internet service by flooding a server with TCP/IP connection requests which consume all the available slots in the server’s TCP connection table. When the connection table is full, it is not possible to establish any new connections, and the web site on the server becomes inaccessible.
This section provides information about SYN flood attacks and the FortiGate IPS methods of preventing such attacks.
How SYN floods work
SYN floods work by exploiting the structure of the TCP/IP protocol. Basically, an attacker floods a server with connection attempts but never acknowledges the server’s replies to actually open the TCP/IP connection.
The TCP/IP protocol uses a three-step process to establish a network connection.
Figure 17: Establishing a TCP/IP connection
1 The originator of the connection sends a SYN packet (a packet with the SYN flag set
in the TCP header) to initiate the connection.
2 The receiver sends a SYN/ACK packet (a packet with the SYN and ACK flags set in
the TCP header) back to the originator to acknowledge the connection attempt.
3 The originator then sends an ACK packet (a packet with the ACK flag set in the TCP
header) back to the receiver to open the connection.
Once the handshaking process is complete the connection is open and data
exchange can begin between the originator and the receiver, in this case the web
browser and the web server.
Server
1. Originator sends a SYN packet
Web
Browser
Web
2. Receiver replies with an ACK/SYN packet
3. Originator replies with an ACK packet
30 Fortinet Inc.
The FortiGate IPS Response to SYN Flood Attacks SYN Flood Attacks
Between steps 2 and 3 however, the web server keeps a record of any incomplete
connections until it receives the ACK packet. A SYN flood attacker sends many SYN
packets but never replies with the final ACK packet.
Since most systems have only a limited amount of space for TCP/IP connection
records, a flood of incomplete connections will quickly block legitimate users from
accessing the server. Most TCP/IP implementations use a fairly long timeout before
incomplete connections are cleared from the connection table and traffic caused by a
SYN flood is much higher than normal network traffic.
The FortiGate IPS Response to SYN Flood Attacks
FortiGate uses a defense method that combines the SYN Threshold and SYN Proxy
methods to prevent SYN flood attacks.
What is SYN threshold?
An IPS device establishes a limit on the number of incomplete TCP connections, and
discards SYN packets if the number of incomplete connections reaches the limit.
What is SYN proxy?
An IPS proxy device synthesizes and sends the SYN/ACK packet back to the
originator, and waits for the final ACK packet. After the proxy device receives the ACK
packet from the originator, the IPS device then “replays” the three-step sequence of
establishing a TCP connection (SYN, SYN/ACK and ACK) to receiver.
How IPS works to prevent SYN floods
The FortiGate IPS uses a defense method that is similar to but not a complete SYN
proxy to prevent SYN flood attack. This pseudo SYN proxy reduces resource usage
and provides better performance than a full SYN proxy approach.
The IPS allows users to set a limit or threshold on the number of incomplete TCP
connections. The threshold can be set either from the CLI or the web-based
manager.
When the IPS detects that the total number of incomplete TCP connections to a
particular target exceeds the threshold, the pseudo SYN proxy is triggered to operate
for all subsequent TCP connections. The pseudo SYN proxy will determine whether a
new TCP connection is a legitimate request or another SYN flood attack based on a
“best-effect” algorithm. If a subsequent connection attempt is detected to be a normal
TCP connection, the IPS will allow a TCP connection from the source to the target. If
a subsequent TCP is detected to be a new incomplete TCP connection request, one
of the following actions will be taken: Drop, Reset, Reset Client, Reset Server, Drop
Session, Pass Session, Clear Session, depending upon the user configuration for
SYN Flood anomaly in the IPS.
SYN Flood Attacks The FortiGate IPS Response to SYN Flood Attacks
Intrusion Prevention System Guide 31
A true SYN proxy approach requires that all three packets (SYN, SYN/ACK, and ACK)
are cached and replayed even before it is known if a TCP connection request is
legitimate. The FortiGate IPS pseudo SYN proxy retransmits every TCP packet
immediately from the packet source to the packet destination as soon as it records the
necessary information for SYN flood detection.
Since the pseudo SYN proxy in the IPS uses a “best effect” algorithm to determine
whether a TCP connection is legitimate or not, some legitimate connections may be
falsely detected as incomplete TCP connection requests and dropped. However, the
ratio of the pseudo SYN proxy dropping legitimate TCP connection is quite small.
Figure 18 illustrates the operation behavior of FGT IPS Engine before the SYN Flood
threshold is reached. Figure 19 illustrates the operation behavior of FGT IPS Engine
after the SYN Flood threshold is reached.
Figure 18: IPS operation before syn_flood threshold is reached
Figure 19: IPS operation after syn_flood threshold is reached
32 Fortinet Inc.
Configuring SYN flood protection SYN Flood Attacks
Configuring SYN flood protection
To set the configuration for the SYN flood anomaly in the web-based manager, go to
IPS->Anomaly, find syn_flood in the anomaly list, and select Edit.
Figure 20: Configuring the syn_flood anomaly
See “Anomalies” on page 19 for information about configuring anomalies.
Suggested settings for different network conditions
The main setting that impacts the efficiency of the pseudo SYN proxy in detecting
SYN floods is the threshold value. The default threshold is 2000. You should select an
appropriate value based on your network conditions. Normally, if the servers being
protected by the FortiGate unit need to handle heavier requests, such as a busy web
server, then the threshold should be set to a higher value. If your network carries
lighter traffic, the threshold should be set to a lower value.
Intrusion Prevention System Guide Version 1.0
Intrusion Prevention System Guide 33
ICMP Sweep Attacks
ICMP (Internet Control Message Protocol) is a part of the IP protocol and is generally
used to send error messages describing packet routing problems. ICMP sweeps are
not really considered attacks but are used to scan a target network to discover
vulnerable hosts for further probing and possible attacks.
Attackers use automated tools that scan all possible IP addresses in the range of the
target network to create a map which they can use to plan an attack.
How ICMP sweep attacks work
An ICMP sweep is performed by sending ICMP echo requests – or other ICMP
messages that require a reply – to multiple addresses on the target network. Live
hosts will reply with an ICMP echo or other reply message. An ICMP sweep basically
works the same as sending multiple pings. Live hosts accessible on the network must
send a reply. This enables the attacker to determine which hosts are live and
connected to the target network so that further attacks and probing can be planned.
There are several ways of doing an ICMP sweep depending on the source operating
system and there are many automated tools for network scanning that attackers use
to probe target networks.
The FortiGate IPS response to ICMP sweep attacks
The FortiGate IPS provides predefined signatures to detect a variety of ICMP sweep
methods. Each signature can be configured to pass, drop, or clear the session. Each
signature can be configured to log when the signature is triggered.
You can create your own custom signatures to block attacks specific to your network
that are not included in the predefined signature list.
The FortiGate IPS also has an ICMP sweep anomaly setting with a configurable
threshold.
Predefined ICMP signatures
Table 1 describes all the ICMP-related predefined signatures and the default settings
for each. See “Configuring individual signature settings” on page 13 for details about
each possible signature action.
34 Fortinet Inc.
The FortiGate IPS response to ICMP sweep attacks ICMP Sweep Attacks
Note: The predefined signature descriptions in Table 1 are accurate as of the IPS Guide
publication date. Predefined signatures may be added or changed with each Attack Definition
update.
Table 1: Predefined ICMP sweep signatures
Signature Description Default settings
AddressMask AddressMask detects broadcast address mask
request messages from a host pretending to be
part of the network. The default action is to
pass but log this traffic because it could be
legitimate network traffic on some networks.
Signature enabled
Logging enabled
Action: Pass
Broadscan.Smurf Broadscan is a hacking tool used to generate
and broadcast ICMP requests in a smurf
attack. In a smurf attack, an attacker
broadcasts ICMP requests on Network A using
a spoofed source IP address belonging to
Network B. All hosts on Network A send
multiple replies to Network B, which becomes
flooded.
Signature enabled
Logging enabled
Action: Drop
Communication.
Administratively.
Prohibited
This signature detects network packets that
have been blocked by some kind of filter. The
host that blocked the packet sends an ICMP
(code 13) Destination Unreachable message
notifying the source or apparent source of the
filtered packet. Since this signature may be
triggered by legitimate traffic, the default action
is to pass but log the traffic, so it can be
monitored.
Signature enabled
Logging enabled
Action: Pass
CyberKit.2.2 CyberKit 2.2 is Windows-based software used
to scan networks. ICMP echo request
messages sent using this software contain
special characters that identify Cyberkit as the
source.
Signature enabled
Logging enabled
Action: Pass
DigitalIsland.
Bandwidth.Query
Digital Island is a provider of content delivery
networks. This company sends ICMP pings so
they can better map routes for their customers.
If you are not a customer of Digital Island use
this signature to block their probes.
Signature enabled
Logging enabled
Action: Drop
Echo.Reply This signature detects ICMP echo reply
messages responding to ICMP echo request
messages.
Signature disabled
ISS.Pinger ISS is Internet Security Scanner software that
can be used to send ICMP echo request
messages and other network probes. While
this software can be legitimately used to scan
for security holes, you can use the signature to
block unwanted scans.
Signature enabled
Logging enabled
Action: Drop
Nemesis.V1.1
.Echo
Nemesis v1.1 is a Windows- or Unix-based
scanning tool. ICMP echo request messages
sent using this software contain special
characters that identify Nemesis as the source.
Signature enabled
Logging enabled
Action: Drop
Packet.Large This signature detects ICMP packets larger
than 32 000 bytes, which can crash a server or
cause it to hang.
Signature enabled
Logging enabled
Action: Pass
ICMP Sweep Attacks The FortiGate IPS response to ICMP sweep attacks
Intrusion Prevention System Guide 35
PING.NMAP NMAP is a free open source network
mapping/security tool that is available for most
operating systems. NMAP could be used
maliciously to perform an ICMP sweep. ICMP
echo request messages sent using this
software contain special characters that
identify NMAP as the source.
Signature disabled
Redirect.Code4 This signature detects ICMP type 5 code 4
redirect messages. An ICMP redirect message
describes an alternate route for traffic to take.
An attacker may use ICMP redirect messages
to alter the routing table or cause traffic to
follow an unintended route.
Signature enabled
Logging enabled
Action: Pass
Sniffer.Pro.
NetXRay
Sniffer Pro and NetXRay are scanning tools.
ICMP echo request messages sent using this
software contain special characters that
identify them as the source.
Signature enabled
Logging enabled
Action: Drop
Source.Quench This signature detects ICMP source quench
messages. These messages are generated
when a gateway cannot forward packets
because the memory buffer is full.
The gateway sends a source quench message
back to the source to request that the
transmission rate be reduced until it no longer
receives source quench messages from the
gateway. Attackers could use this type of
message to slow down the network
considerably.
Signature enabled
Logging enabled
Action: Drop
Superscan.Echo Superscan is a free network scanning tool for
Windows from Foundstone Inc. Superscan
could be used maliciously to perform an ICMP
sweep. ICMP echo request messages sent
using this software contain special characters
that identify Superscan as the source.
Signature enabled
Logging enabled
Action: Drop
TimeStamp TimeStamp detects timestamp request
messages from a host pretending to be part of
the network.
Signature enabled
Logging enabled
Action: Pass
TJPingPro1.1 TJPingPro1.1 is a widely-used network tool
for older versions of Windows. TJPingPro
could be used maliciously to perform an ICMP
sweep. ICMP echo request messages sent
using this software contain special characters
that identify TJPingPro as the source.
Signature enabled
Logging enabled
Action: Drop
Traceroute Traceroute is a very common network tool
available on almost any operating system. This
tool could be sued maliciously to perform an
ICMP sweep. ICMP echo request messages
sent using this software contain special
characters that identify traceroute as the
source.
Signature enabled
Logging enabled
Action: Pass
Whatsup.Gold WhatsUp Gold is a network scanning tool for
Windows from IPswitch. WhatsUp could be
used maliciously to perform an ICMP sweep.
ICMP echo request messages sent using this
software contain special characters that
identify WhatsUpGold as the source.
Signature enabled
Logging enabled
Action: Drop
Table 1: Predefined ICMP sweep signatures
Signature Description Default settings
36 Fortinet Inc.
Configuring ICMP sweep protection ICMP Sweep Attacks
ICMP sweep anomalies
The FortiGate unit also detects ICMP sweeps that do not have a predefined signature
to block them. The FortiGate IPS monitors traffic to ensure that ICMP messages do
not exceed the default or user-defined threshold.
Configuring ICMP sweep protection
To set the configuration for the various ICMP sweep attacks, go to IPS > Signature
and expand the icmp list. Each signature can be configured individually.
Figure 21: Some of the ICMP signatures in the predefined signature list
See “Predefined signatures” on page 10 for information about configuring predefined
signatures.
To set the configuration for the ICMP sweep anomaly in the web-based manager, go
to IPS->Anomaly, find icmp_sweep in the anomaly list, and select Edit.
Figure 22: Configuring the icmp_sweep anomaly
See “Anomalies” on page 19 for information about configuring anomalies.
Suggested settings for different network conditions
You can enable or disable the ICMP predefined signatures depending on your current
network traffic and the network scanning tools that you are using.
To use the icmp_sweep anomaly, you should monitor your network to find out the
normal ICMP traffic patterns. You can then configure the icmp_sweep anomaly
threshold to be triggered when an unusual volume of ICMP requests occurs.
Intrusion Prevention System Guide Version 1.0
Intrusion Prevention System Guide 37
Custom Signatures
Custom signatures provide the power and flexibility to customize the FortiGate IPS for
diverse network environments. The FortiGate predefined signatures cover common
attacks. If you are using an unusual or specialized application or an uncommon
platform, you can add custom signatures based on the security alerts released by the
application and platform vendors.
You can also use custom signatures to block or allow specific traffic.
Creating custom signatures
Each custom signature definition should be less than 1000 characters. A definition
can be a single line or span multiple lines connected by a backslash (\) at the end of
each line.
Each custom signature definition begins with a header followed by a set of keyword
and value pairs enclosed by parenthesis [( )]. The keyword and value pairs are
separated by a semi colon (;) and consist of a keyword and a value separated by a
space. The basic format of a definition is HEADER (KEYWORD VALUE 😉
KEYWORD VALUE ; can be repeated up to 64 times until all the parameters needed
for the signature are included.
Example
The following example signature checks that the ip_flag header in TCP packets has
the Don’t Fragment bit set:
F-SBID(–name testflag; –protocol tcp; –ip_flag D;)
The example signature generates the following traffic:
# sendip -p ipv4 -p tcp -is 192.168.5.37 -ifd 1 -ts 5566 -td 1234 -tfs 1 192.168.5.40
If logging is enabled, when the signature is triggered the IPS records an attack log
message similar to the following:
1 2004-09-02 01:19:52 log_id=0420070000 type=ips subtype=signature pri=alert
attack_id=113770497 src=192.168.5.37 dst=192.168.5.40 src_port=5598
dst_port=1234 src_int=ha dst_int=dmz status=detected proto=6 service=1234/tcp
msg=”custom: testflag”
Set the action to Drop Session.
38 Fortinet Inc.
Creating custom signatures Custom Signatures
Custom signature fields
Table 2shows the valid characters for custom signature fields.
Table 2: Valid characters for custom signature fields
Field Valid Characters Usage
HEADER F-SBID The header for an attack definition signature.
Each custom signature must begin with this
header.
KEYWORD The keyword must start
with –, and be a string of
greater than 0 and less than
20 characters.
Normally, keywords are an
English word or English
words connected by _. Letters
are usually lower case;
however, keywords are case
insensitive.
The keyword is used to identify a parameter.
See “Custom signature syntax” on page 39
for tables of supported keywords.
VALUE Double quotes must be used
around the value if it contains
a space and/or a semicolon.
If the value is NULL, the
space between the
KEYWORD and VALUE can
be omitted.
Values are case sensitive.
Note: if double quotes are
used for quoting the value,
the double quotes are not
considered as part of the
value string.
Set the value for a parameter identified by a
keyword.
Custom Signatures Custom signature syntax
Intrusion Prevention System Guide 39
Custom signature syntax
Table 3: General keywords
Keyword Value Usage
name A string of greater than 0 and
less than 64.
Normally, the group name is
an English word or English
words connected by _. All
letters are normally lower
case.
If included, the name must
match the name input using
the GUI or CLI.
Because the name identifies the signature
for the user, it should be easily readable and
should be unique. The name keyword is
optional for custom signatures.
default_action [pass | pass_session | drop |
drop_session | reset |
reset_client | reset_server |
clear_session]
The recommended action for a signature.
The default action is pass.
protocol ip;
tcp;
icmp;
udp;
The protocol name.
revision An integer. Optionally include a revision number for this
signature.
Table 4: Content specific keywords
Keyword Value Usage
content [!]”<content string>”;
A string quoted within double
quotes. Optionally place an
exclamation mark (!) before
the first double quote to
express “Not”.
The content contained in the packet
payload. Multiple contents can be
specified in one rule. The value can
contain mixed text and binary data. The
binary data is generally enclosed within the
pipe (|) character. The following characters
in the content string must be escaped
using a back slash: double quote (“), pipe
sign(|) and colon(:).
uri Same as content. Search for the normalized request URI
field. Binary data can be defined as the
URI value.
offset <number>;
An integer (0-65535).
Start looking for the contents after the
specified number of bytes of the payload.
This tag is an absolute value in the
payload. Follow the offset tag with the
depth tag to stop looking for a match after
the value specified by the depth tag. If
there is no depth specified, continue
looking for a match until the end of the
payload.
40 Fortinet Inc.
Custom signature syntax Custom Signatures
depth <number>;
An integer (1-65535).
Look for the contents within the specified
number of bytes of the payload. If the
value of the depth keyword is smaller than
the length of the value of the content
keyword, this signature will never be
matched. If depth is used without a
proceeding “offset”, it is equal to a “-offset
0″ there.
distance <number>;
An integer (0-65535).
Search for the contents the specified
number of bytes relative to the end of the
previously matched contents. The distance
tag could be followed with the within tag. If
there is no value specified for the within
tag, continue looking for a match until the
end of the payload.
within <number>;
An integer (1-65535).
Look for the contents within the specified
number of bytes of the payload. Use with
the distance tag.
no_case NULL Ignore case in the content value.
raw NULL Ignore any decoding. Look at the raw
packet data.
regex NULL Regular expressions are used in the
contents. An asterisk (*) in the content
string means any character, any number of
times. A question mark (?) means any
single character.
byte_test <bytes_to_convert>,
<operator>, <value>, <offset>
[, [relative,, [big,] [little,]
[string,] [hex,] [dec,] [oct]];
Test a byte field against a
specific value (with operator).
Capable of testing binary
values or converting
representative byte strings to
their binary equivalent and
testing them.
bytes_to_convert
– The number of bytes to pick up from the
packet.
operator
– The operation to perform to test the value
(<,>,=,!,&).
value
– The value to test the converted value
against.
offset
– The number of bytes into the payload to
start processing.
relative
– Use an offset relative to last pattern
match.
big
– Process the data as big endian (default).
little
– Process the data as little endian.
string
– The data is stored in string format in the
packet.
hex
– The converted string data is represented
in hexadecimal.
dec
– The converted string data is represented
in decimal.
oct
The converted string data is represented in
octal.
Table 4: Content specific keywords
Custom Signatures Custom signature syntax
Intrusion Prevention System Guide 41
byte_jump <bytes_to_convert>, <offset>
[, [relative,] [big,] [little,]
[string,] [hex,] [dec,] [oct,]
[align]];
The byte_jump option is used
to get a specified number of
bytes, convert them to their
numeric representation, and
jump the doe_ptr up that
many bytes for further pattern
matching/byte_testing. This
allows relative pattern
matches to take into account
numerical values found in
network data.
bytes_to_convert
– The number of bytes to pick up from the
packet.
offset
– The number of bytes into the payload to
start processing.
relative
– Use an offset relative to the last pattern
match.
big
– Process the data as big endian (default).
little
– Process data as little endian.
string
– The data is stored in string format in the
packet.
hex
– The converted string data is represented
in hexadecimal.
dec
– The converted string data is represented
in decimal.
oct
– The converted string data is represented
in octal.
align
– Round the number of converted bytes up
to the next 32-bit boundary.
Table 4: Content specific keywords
42 Fortinet Inc.
Custom signature syntax Custom Signatures
pcre [!]”(/<regex>/|m<delim><regex
><delim>)[ismxAEGRUB]”;
The pcre keyword allows you
to write rules using perl
compatible regular
expressions (PCRE). For
more information on using
PCRE, see the PCRE web
site at http://www.pcre.org.
The post-re modifiers set
compile time flags for the
regular expression.
i
– Case insensitive.
s
– Include newlines in the dot
metacharacter.
m
– By default, the string is treated as one big
line of characters. ^ and $ match at the
start and end of the string. When m is set,
^ and $ match immediately following or
immediately before any newline in the
buffer, as well as the very start and very
end of the buffer.
x
– Whitespace data characters in the
pattern are ignored except when escaped
or inside a character class.
A
– The pattern must match only at the start
of the buffer (same as ^ ).
E
– Set $ to match only at the end of the
subject string. Without E, $ also matches
immediately before the final character if it
is a newline (but not before any other
newlines).
G
– Inverts the “greediness” of the quantifiers
so that they are not greedy by default, but
become greedy if followed by “?”.
R
– Match relative to the end of the last
pattern match (similar to distance:0;).
U
Match the decoded URI buffers (similar to
the uri keyword).
BD
o not use the decoded buffers (similar to
the raw keyword).
data_at <value> [,relative]; Verify that the payload has data at a
specified location. Optionally look for data
relative to the end of the previous content
match.
Table 5: IP header keywords
Keyword Value Usage
ip_version <number>; The IP version number.
ihl <number>;
An integer(5-15).
The IP header length.
tos <number>; Check the IP TOS field for the specified
value.
ip_id <number>; Check the IP ID field for the specified
value.
Table 4: Content specific keywords
Custom Signatures Custom signature syntax
Intrusion Prevention System Guide 43
ip_option {rr | eol | nop | ts | sec | lsrr |
ssrr | satid | any}
rr
– Check if IP RR (record route) option is
present.
eol
– Check if IP EOL (end of list) option is
present.
nop
– Check if IP NOP (no op) option is
present.
ts
– Check if IP TS (time stamp) option is
present.
sec
– Check if IP SEC (IP security) option is
present.
lsrr
– Check if IP LSRR (loose source routing)
option is present.
ssrr
– Check if IP SSRR (strict source routing)
option is present.
satid
– Check if IP SATID (stream identifier)
option is present.
any
– Check if IP any option is present.
frag_offset <number>;
!<number>;
><number>;
<<number>;
Compare the IP fragment field against the
specified value.
ip_flag [!]<[MDR]>[+|*]; Check if IP fragmentation and reserved
bits are set in the IP header.
M
– The More Fragments bit.
D
– The Don’t Fragment bit.
R
The Reserved Bit.
+
– Match on the specified bits, plus any
others.
*
– Match if any of the specified bits are set.
!
– Match if the specified bits are not set.
ttl <number>;
><number>;
<<number>;
Check the IP time-to-live value against the
specified value.
src_addr [!]<ip addresses or CIDR
blocks>
You can define up to 28 IP
address or CIDR blocks.
Enclose the comma
separated list in square
brackets.
The source IP address.
Table 5: IP header keywords
44 Fortinet Inc.
Custom signature syntax Custom Signatures
dst_addr [!]<ip addresses or CIDR
blocks>
You can define up to 28 IP
address or CIDR blocks.
Enclose the comma
separated list in square
brackets.
The destination IP address.
ip_proto <number>;
[!]<number>;
><number>;
<<number>;
Check the IP protocol header.
Table 6: TCP header keywords
Keyword Value Usage
src_port [!]<number>;
[!]:<number>;
[!]<number>:;
[!]<number>:<number>;
The source port number.
dst_port [!]<number>
[!]:<number>
[!]<number>:
[!]<number>:<number>
The destination port number.
tcp_flags [!|*|+]<FSRPAU120>[,<FSRP
AU120>];
The first part
(<FSRPAU120>) defines the
bits that must present for a
successful match. For
example:
–tcp_flags AP
only matches the case where
both A and P bits are set.
The second part
([,<FSRPAU120>]) is
optional, and defines the
additional bits that can
present for a match. For
example:
–tcp_flags S,12
matches the following
combinations of flags: S, S
and 1, S and 2, S and 1 and
2.
The modifiers !, * and + can
not be used in the second
part.
Specify the TCP flags to match in a packet.
S
– Match the SYN flag.
A
– Match the ACK flag.
F
– Match the FIN flag.
R
– Match the RST flag.
U
– Match the URG flag.
P
– Match the PSH flag.
1
– Match Reserved bit 1.
2
– Match Reserved bit 2.
0
– Match No TCP flags set.
+
– Match on the specified bits, plus any
others.
*
– Match if any of the specified bits are set.
!
– Match if the specified bits are not set.
seq <number>; Check for the specified TCP sequence
number.
Table 5: IP header keywords
Custom Signatures Custom signature syntax
Intrusion Prevention System Guide 45
ack <number>; Check for the specified TCP acknowledge
number.
window_size [!]<number>;
An integer in either
hexadecimal or decimal.
A hexadecimal value must be
preceded by 0x.
Check for the specified TCP window size.
Table 7: UDP header keywords
Keyword Value Usage
src_port [!]<number>;
[!]:<number>;
[!]<number>:;
[!]<number>:<number>;
The source port number.
dst_port [!]<number>;
[!]:<number>;
[!]<number>:;
[!]<number>:<number>;
The destination port number.
Table 8: ICMP keywords
Keyword Value Usage
icmp_type <number>; Specify the ICMP type to match.
icmp_code <number>; Specify the ICMP code to match.
icmp_id <number>; Check for the specified ICMP ID value.
icmp_seq <number>; Check for the specified ICMP sequence
value.
Table 6: TCP header keywords
46 Fortinet Inc.
Custom signature syntax Custom Signatures
Table 9: Other keywords
Keyword Value Usage
same_ip NULL The source and the destination have the
same IP addresses.
rpc_num <application number>,
[<version number>|*],
[<procedure number>|*>;
Check for RPC application, version, and
procedure numbers in SUNRPC CALL
requests. The * wildcard can be used for
version and procedure numbers.
flow [to_client|to_server|from_client
| from_server ];
established;
bi_direction;
[no_stream|only_stream];
TCP only.
The to_server value is equal to the
from_client value. The to_client value is
equal to the from_server value.
The bi_direction tag makes the signature
match traffic for both directions. For
example, if you have a signature with
“–dst_port 80”, and with bi_direction set, the
signature checks traffic from and to port 80.
data_size < number;
> number;
< number;
number <> number;
Test the packet payload size. With data_size
specified, packet reassembly is turned off
automatically. So a signature with data_size
and only_stream values set is wrong.
revision <number>; The revision number of the attack signature.
Intrusion Prevention System Guide 01-28007-0080-20041130 47
Intrusion Prevention System Guide Version 1.0
Glossary
Connection: A link between machines, applications,
processes, and so on that can be logical, physical, or
both.
DMZ, Demilitarized Zone: Used to host Internet
services without allowing unauthorized access to an
internal (private) network. Typically, the DMZ contains
servers accessible to Internet traffic, such as Web
(HTTP) servers, FTP servers, SMTP (email) servers
and DNS servers.
DMZ interface: The FortiGate interface that is
connected to a DMZ network.
DNS, Domain Name Service: A service that converts
symbolic node names to IP addresses.
Ethernet: A local-area network (LAN) architecture that
uses a bus or star topology and supports data transfer
rates of 10 Mbps. Ethernet is one of the most widely
implemented LAN standards. A newer version of
Ethernet, called 100 Base-T (or Fast Ethernet),
supports data transfer rates of 100 Mbps. And the
newest version, Gigabit Ethernet, supports data rates
of 1 gigabit (1,000 megabits) per second.
External interface: The FortiGate interface that is
connected to the Internet. For the FortiGate-60 the
external interface is WAN1 or WAN2.
FTP, File transfer Protocol: An application and TCP/
IP protocol used to upload or download files.
Gateway: A combination of hardware and software that
links different networks. Gateways between TCP/IP
networks, for example, can link different subnetworks.
HTTP, Hyper Text Transfer Protocol: The protocol
used by the World Wide Web. HTTP defines how
messages are formatted and transmitted, and what
actions Web servers and browsers should take in
response to various commands.
HTTPS: The SSL protocol for transmitting private
documents over the Internet using a Web browser.
Internal interface: The FortiGate interface that is
connected to an internal (private) network.
Internet: A collection of networks connected together
that span the entire globe using the NFSNET as their
backbone. As a generic term, it refers to any collection
of interdependent networks.
ICMP, Internet Control Message Protocol: Part of the
Internet Protocol (IP) that allows for the generation of
error messages, test packets, and information
messages relating to IP. This is the protocol used by
the ping function when sending ICMP Echo Requests
to a network host.
IKE, Internet Key Exchange: A method of
automatically exchanging authentication and
encryption keys between two secure servers.
IMAP, Internet Message Access Protocol: An
Internet email protocol that allows access to your email
from any IMAP compatible browser. With IMAP, your
mail resides on the server.
IP, Internet Protocol: The component of TCP/IP that
handles routing.
IP Address: An identifier for a computer or device on a
TCP/IP network. An IP address is a 32-bit numeric
address written as four numbers separated by periods.
Each number can be zero to 255.
L2TP, Layer Two (2) Tunneling Protocol: An
extension to the PPTP protocol that enables ISPs to
operate Virtual Private Networks (VPNs). L2TP merges
PPTP from Microsoft and L2F from Cisco Systems. To
create an L2TP VPN, your ISP’s routers must support
L2TP.
IPSec, Internet Protocol Security: A set of protocols
that support secure exchange of packets at the IP
layer. IPSec is most often used to support VPNs.
48 01-28007-0080-20041130 Fortinet Inc.
Glossary
LAN, Local Area Network: A computer network that
spans a relatively small area. Most LANs connect
workstations and personal computers. Each computer
on a LAN is able to access data and devices anywhere
on the LAN. This means that many users can share
data as well as physical resources such as printers.
MAC address, Media Access Control address: A
hardware address that uniquely identifies each node of
a network.
MIB, Management Information Base: A database of
objects that can be monitored by an SNMP network
manager.
Modem: A device that converts digital signals into
analog signals and back again for transmission over
telephone lines.
MTU, Maximum Transmission Unit: The largest
physical packet size, measured in bytes, that a network
can transmit. Any packets larger than the MTU are
divided into smaller packets before being sent. Ideally,
you want the MTU your network produces to be the
same as the smallest MTU of all the networks between
your machine and a message’s final destination. If your
messages are larger than one of the intervening MTUs,
they get broken up (fragmented), which slows down
transmission speeds.
Netmask: Also called subnet mask. A set of rules for
omitting parts of a complete IP address to reach a
target destination without using a broadcast message.
It can indicate a subnetwork portion of a larger network
in TCP/IP. Sometimes referred to as an Address Mask.
NTP, Network Time Protocol: Used to synchronize
the time of a computer to an NTP server. NTP provides
accuracies to within tens of milliseconds across the
Internet relative to Coordinated Universal Time (UTC).
Packet: A piece of a message transmitted over a
packet-switching network. One of the key features of a
packet is that it contains the destination address in
addition to the data. In IP networks, packets are often
called datagrams.
Ping, Packet Internet Grouper: A utility used to
determine whether a specific IP address is accessible.
It works by sending a packet to the specified address
and waiting for a reply.
POP3, Post Office Protocol: A protocol used to
transfer e-mail from a mail server to a mail client across
the Internet. Most e-mail clients use POP.
PPP, Point-to-Point Protocol: A TCP/IP protocol that
provides host-to-network and router-to-router
connections.
PPTP, Point-to-Point Tunneling Protocol: A
Windows-based technology for creating VPNs. PPTP
is supported by Windows 98, 2000, and XP. To create a
PPTP VPN, your ISP’s routers must support PPTP.
Port: In TCP/IP and UDP networks, a port is an
endpoint to a logical connection. The port number
identifies what type of port it is. For example, port 80 is
used for HTTP traffic.
Protocol: An agreed-upon format for transmitting data
between two devices. The protocol determines the type
of error checking to be used, the data compression
method (if any), how the sending device indicates that
it has finished sending a message, and how the
receiving device indicates that it has received a
message.
RADIUS, Remote Authentication Dial-In User
Service: An authentication and accounting system
used by many Internet Service Providers (ISPs). When
users dial into an ISP they enter a user name and
password. This information is passed to a RADIUS
server, which checks that the information is correct,
and then authorizes access to the ISP system.
Router: A device that connects LANs into an internal
network and routes traffic between them.
Routing: The process of determining a path to use to
send data to its destination.
Routing table: A list of valid paths through which data
can be transmitted.
Server: An application that answers requests from
other devices (clients). Used as a generic term for any
device that provides services to the rest of the network
such as printing, high capacity storage, and network
access.
SMTP, Simple Mail Transfer Protocol: In TCP/IP
networks, this is an application for providing mail
delivery services.
SNMP, Simple Network Management Protocol: A set
of protocols for managing networks. SNMP works by
sending messages to different parts of a network.
SNMP-compliant devices, called agents, store data
about themselves in Management Information Bases
(MIBs) and return this data to the SNMP requesters.
Glossary
Intrusion Prevention System Guide 01-28007-0080-20041130 49
SSH, Secure shell: A secure Telnet replacement that
you can use to log into another computer over a
network and run commands. SSH provides strong
secure authentication and secure communications
over insecure channels.
Subnet: A portion of a network that shares a common
address component. On TCP/IP networks, subnets are
defined as all devices whose IP addresses have the
same prefix. For example, all devices with IP
addresses that start with 100.100.100. would be part of
the same subnet. Dividing a network into subnets is
useful for both security and performance reasons.
IP networks are divided using a subnet mask.
Subnet Address: The part of the IP address that
identifies the subnetwork.
TCP, Transmission Control Protocol: One of the
main protocols in TCP/IP networks. TCP guarantees
delivery of data and also guarantees that packets will
be delivered in the same order in which they were sent.
UDP, User Datagram Protocol: A connectionless
protocol that, like TCP, runs on top of IP networks.
Unlike TCP, UDP provides very few error recovery
services, offering instead a direct way to send and
receive datagrams over an IP network. It is used
primarily for broadcasting messages over a network.
VPN, Virtual Private Network: A network that links
private networks over the Internet. VPNs use
encryption and other security mechanisms to ensure
that only authorized users can access the network and
that data cannot be intercepted.
Virus: A computer program that attaches itself to other
programs, spreading itself through computers or
networks by this mechanism usually with harmful
intent.
Worm: A program or algorithm that replicates itself
over a computer network, usually through email, and
performs malicious actions, such as using up the
computer’s resources and possibly shutting the system
down.
İletişim için f1info@f1bilgisayar.com
