Fortinet IPS manual Anomaly, FortiGuard Center

Page 13


IPS overview and general configuration	Monitoring the network and dealing with attacks

Anomaly

The following log message is generated when an attack anomaly is detected:

Message ID:	73001
Severity:	Alert
Message:	attack_id=<value_attack_id> src=<ip_address> dst=<ip_address>
	src_port=<port_num> dst_port=<port_num>
	interface=<interface_name> src_int=<interface_name>
	dst_int=<interface_name> status={clear_session detected dropped
	reset} proto=<protocol_num> service=<network_service>
	msg="<string><[url]>"
Example:	2004-04-07 13:58:53 log_id=0420073001 type=ips subtype=anomaly
	pri=alert attack_id=100663396 src=8.8.120.254 dst=11.1.1.254
	src_port=2217 dst_port=25 interface=internal src_int=n/a dst_int=n/a
	status=reset proto=6 service=smtp msg="anomaly: syn_flood, 100 >
	threshold 10.[Reference: http://www.fortinet.com/ids/ID100663396]"
Meaning:	Attack anomaly message providing the source and destination
	addressing information and the attack name.
Action:	Get more information about the attack and the steps to take from the
	Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste
	the URL from the log message into your browser to go directly to the
	signature description in the Attack Encyclopedia.

The FortiGuard Center

The FortiGuard Center combines the knowledge base of the Fortinet technical team into an easily searchable database. FortiGuard Center includes both virus and attack information. Go to http://www.fortinet.com/FortiGuardCenter/.

Search for attacks in the FortiGuard Attack Encyclopedia by any of the criteria shown in Figure 1.

Figure 1: Searching the FortiGuard Attack Encyclopedia

Type in the name or ID of the attack, or copy and paste the URL from the log message or alert email into a browser.

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916	13

Image 13

Contents E R G U I D E Trademarks Contents IPS sensors Protocol decodersDoS sensors SYN flood attacksFortiGate IPS IntroductionFortinet documentation About this documentDocument conventions Typographic conventionsFortiGate Pptp VPN User Guide Fortinet Knowledge Center Customer service and technical supportComments on Fortinet technical documentation IPS settings and controls IPS overview and general configurationThis section contains the following topics Default signature and anomaly settings When to use IPSDefault fail open setting Config ips global Set fail-open enable disable endConfiguring logging and alert email Setting the buffer sizeMonitoring the network and dealing with attacks Controlling sessionsAttack log messages Signature FortiGuard Center AnomalyCreating a protection profile that uses IPS sensors Using IPS sensors in a protection profileAdding protection profiles to firewall policies Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile IPS predefined signatures Predefined signaturesViewing the predefined signature list Enable SettingsColumn Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list IPS custom signatures Custom signaturesViewing the custom signature list Adding custom signatures using the web-based manager Custom signature configurationAdding custom signatures using the CLI Command syntax patternCustom signature fields Creating custom signaturesShows the valid characters for custom signature fields Attackid Custom signature syntaxName BufferOverflow SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Context uri Pattern GETPattern yahoo.com Context hostRegex/mdelim PcreRegexdelimismxAEGRU Uri !uristrIP header keywords Keyword and Value Description Protocol tcpTCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags APIcmp keywords Keyword and Value Usage UDP header keywords Keyword and Value DescriptionOther keywords Keyword and Value Description Example custom signatures Example 1 signature to block access to example.comSbid --name Block.example.com Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder listAlldefaultpass AlldefaultIPS sensors Viewing the IPS sensor listAdding an IPS sensor Configuring IPS sensorsProtectclient ProtectemailserverIPS sensor filters IPS sensor attributesReset Configuring filtersIPS sensor overrides Delete and Edit Delete or edit the filter IconsApplication Configuring pre-defined and custom overridesSource Exempt IPDoS sensors Viewing the DoS sensor list Configuring DoS sensorsSequence in which the sensors examine network traffic Appears, and select OKDoS sensor attributes Anomaly configurationName Enter or change the DoS sensor name Comments Will appear in the DoS sensor listUnderstanding the anomalies Udpflood Anomaly Description TcpdstsessionUdpscan UdpsrcsessionUnderstanding the anomalies SYN flood attacks What is a SYN flood attack?How SYN floods work What is SYN proxy? What is SYN threshold?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Suggested settings for different network conditions Configuring SYN flood protectionConfigure the options for tcpsynflood Select OK Icmp sweep attacks What is an Icmp sweep?How Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide IndexTechnical support