By Manny Fernandez

April 30, 2019

Writting Custom IPS Signatures on Fortigate

Yesterday, I was playing around and wanted to create some custom IPS signatures.

 

Defining the signature

Use Case – Block the ‘rottentomatoes.com’ website.  (Yes I know there is a much easier way of doing this on the Fortigate, but I wanted to test it out without having to write some fake traffic to trigger, so work with me here).

F-SBID( --name "InfoSecMonkey.HTTP.Custom"; --protocol tcp; --service HTTP; --flow from_client; --pattern "rottentomatoes.com";--context host; )

In the above signature, we can see that:

  • Protocol is TCP
  • Service is HTTP
  • Will match ‘client’ traffic only
  • And the pattern we are looking for is ‘rottentomatoes.com’

Use Case – Block ping to 8.8.8.8 (Again, same as above, much easier way of doing it but used this to test).

F-SBID( --name "block-google-ping"; --protocol icmp; --icmp_type 8; --icmp_code 0; --dst_addr 8.8.8.8; )
  • Protocol is ICMP
  • We are matching ‘echo’ which is a ‘type 8’
  • We are matching ‘echo-reply’ which is ‘type 0’
  • And the destination is 8.8.8.8

Installing the Signature

First, lets test connectivity without the signatures in place.

2019-04-30_07-26-03.png

Above, we can see that I am able to ping 8.8.8.8 without any issues

Now we will install the signatures. Browse over to ‘Security Profiles’ Section on the Fortinet GUI and choose ‘Custom Signatures’ and choose ‘Create New’.  In our case, choose ‘IPS Signature’.

2019-04-30_07-33-09.png

Now drop in your signature we created above, assign a name, and click ‘OK’

2019-04-30_07-31-31.png

Now we will put these signatures into our Security Profile we are using:

2019-04-30_07-16-34.png

We will go to ‘Security Profiles’, ‘Intrusion Prevention’ and choose your Profile on the top right corner.  Under ‘IPS Signatures’ click the ‘Add Signatures’ button.

2019-04-30_07-17-14.png

Select the two signatures we created, and choose ‘Use Selected Signatures’

2019-04-30_07-18-36.png

I will now select both in the list, right click and choose ‘Block’ in this case to show it working.

2019-04-30_07-19-26.png

Ensure that you have a policy using the ‘Security Profile’ you modified.  In my case, it was ‘Custom1’ .

2019-04-30_07-23-46.png

Now we test.  As you can see above, I am getting 100% packet loss on the 8.8.8.8 target, while my 4.2.2.2 is still operational.

2019-04-30_07-22-17.png

When we look in the ‘Log & Report’ section under ‘Intrusion Prevention’, we will see the event being triggered and subsequently blocked.

Additional Information

Here is an excerpt from the Fortinet documentation.

All custom signatures have a header and at least one keyword/value pair. The header is always the same:

F-SBID( )

The keyword/value pairs appear within the parentheses and each pair is followed by a semicolon.

Choose a name for the custom signature

Every custom signature requires a name, so it is a good practice to assign a name before adding any other keywords.Use the –name keyword to assign the custom signature a name. The name value follows the keyword after a space. Enclose the name value in double-quotes:

F-SBID( –name “Block.example.com”; )

The signature, as it appears here, will not do anything if you try to use it. It has a name, but does not look for any patterns in network traffic. You must specify a pattern that the FortiGate unit will search for.

Add a signature pattern

Use the –pattern keyword to specify what the FortiGate unit will search for:

F-SBID( –name “Block.example.com”; –pattern “example.com”; )

The signature will now detect the example.com URL appearing in network traffic. The custom signature should only detect the URL in HTTP traffic, however. Any other traffic with the URL should be allowed to pass. For example, an email message to or from example.com should not be stopped.

Specify the service

Use the –service keyword to limit the effect of the custom signature to only the HTTP protocol.

F-SBID( –name “Block.example.com”; –pattern “example.com”; ‑‑service HTTP; )

The FortiGate unit will limit its search for the pattern to the HTTP protocol. Even though the HTTP protocol uses only TCP traffic, the FortiGate will search for HTTP protocol communication in TCP, UDP, and ICMP traffic. This is a waste of system resources that you can avoid by limiting the search further, as shown below.

Specify the traffic type.

Use the –protocol tcp keyword to limit the effect of the custom signature to only TCP traffic. This will save system resources by not unnecessarily scanning UDP and ICMP traffic.

F-SBID( –name “Block.example.com”; –pattern “example.com”; ‑‑service HTTP; –protocol tcp; )

The FortiGate unit will limit its search for the pattern to TCP traffic and ignore UDP and ICMP network traffic.

Ignore case sensitivity

By default, patterns are case sensitive. If a user directed his or her browser to Example.com, the custom signature would not recognize the URL as a match.

Use the –no_case keyword to make the pattern matching case insensitive.

F-SBID( –name “Block.example.com”; –pattern “example.com”; ‑‑service HTTP; –protocol tcp; –no_case; )

Unlike all of the other keywords in this example, the –no_case keyword has no value. Only the keyword is required.

Limit pattern scans to only traffic sent from the client

The –flow command can be used to further limit the network traffic being scanned to only that send by the client or by the server.

F-SBID( –name “Block.example.com”; ‑‑pattern “example.com”; ‑‑service HTTP; –protocol tcp; –no_case; ‑‑flow from_client; )

Web servers do not contact clients until clients first open a communication session. Therefore, using the –flow from_client command will force the FortiGate to ignore all traffic from the server. Since the majority of HTTP traffic flows from the server to the client, this will save considerable system resources and still maintain protection.

Specify the context

When the client browser tries to contact example.com, a DNS is first consulted to get the example.com server IP address. The IP address is then specified in the URL field of the HTTP communication. The domain name will still appear in the host field, so this custom signature will not function without the ‑‑context host keyword/value pair.

F-SBID( –name “Block.example.com”; ‑‑pattern “example.com”; ‑‑service HTTP; –no_case; ‑‑flow from_client; ‑‑context host; )

 

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Executive Summary A FortiGate is only as flexible as... Full Story

  • 1. Title & Executive Summary Objective: This guide explains... Full Story

  • 1. Title and Executive Summary Title: Power over Ethernet Standards... Full Story