Fortinet Comprehensive Guide to FortiGate IPS Signatures and Packet Logging

Page 18

Viewing the predefined signature list

Predefined signatures

By default, the signatures are sorted by name. To sort the table by another column, select the required column header name.

Column

Select to customize the signature information displayed in the table. You

Settings

can also readjust the column order.

Clear All Filters

If you have applied filtering to the predefined signature list display, select

 

this option to clear all filters and display all the signatures.

Name

The name of the signature, linked to the FortiGuard Center web page

 

about the signature.

Severity

The severity rating of the signature. The severity levels, from lowest to

 

highest, are Information, Low, Medium, High, and Critical.

Target

The target of the signature. Servers, clients, or both.

Protocols

The protocol the signature applies to.

OS

The operating system the signature applies to.

Applications

The applications the signature applies to.

Enable

The default status of the signature. A green circle indicates the signature

 

is enabled. A gray circle indicates the signature is not enabled.

Action

The default action for the signature. The available actions are pass and

 

drop.

 

Pass allows the traffic to continue without any modification. If you

 

want to determine what effect IPS protection would have on your

 

network traffic, you can enable the required signatures, set the action

 

to pass, and enable logging. Traffic will not be interrupted, but you

 

will be able to examine in detail which signatures were detected.

 

Drop prevents the traffic with detected signatures from reaching its

 

destination.

 

If logging is enabled, the action appears in the status field of the log

 

message generated by the signature.

ID

A unique numeric identifier for the signature.

Logging

The default logging behavior of the signature. A green circle indicates

 

logging is enabled. A gray circle indicates logging is disabled.

Group

A functional group that is assigned to the signature. This group is only

 

for reference and cannot be used to define filters.

Packet Log

The default packet log status of the signature. A green circle indicates

 

packet log is enabled. A gray circle indicates packet log is disabled.

Revision

The revision level of the signature. If the signature is updated, the

 

revision number will be incremented.

Fine tuning IPS predefined signatures for enhanced system performance

In FortiOS the FortiGate unit will have most of the predefined signatures enabled and will log all of them by default. To meet your specific network requirements, you need to fine tune the signature settings.

By fine tuning the signatures and log settings you can provide the best protection available but also free up valuable FortiGate resources. Fine tuning enables you to turn off features that you are not using. By turning off signatures and logs that you do not use, you allow the FortiGate unit to perform tasks faster thus improving overall system performance.

Not all systems require you to scan for all signatures of the IPS suite all the time. By configuring the FortiGate unit to not monitor for these signatures, you will maintain a high level of security and increase overall performance.

 

FortiGate IPS User Guide Version 3.0 MR7

18

01-30007-0080-20080916

Image 18
Contents E R G U I D E Trademarks Contents DoS sensors Protocol decodersIPS sensors SYN flood attacksIntroduction FortiGate IPSDocument conventions About this documentFortinet documentation Typographic conventionsFortiGate Pptp VPN User Guide Customer service and technical support Fortinet Knowledge CenterComments on Fortinet technical documentation IPS overview and general configuration IPS settings and controlsThis section contains the following topics Default fail open setting When to use IPSDefault signature and anomaly settings Config ips global Set fail-open enable disable endMonitoring the network and dealing with attacks Setting the buffer sizeConfiguring logging and alert email Controlling sessionsAttack log messages Signature Anomaly FortiGuard CenterAdding protection profiles to firewall policies Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile Predefined signatures IPS predefined signaturesViewing the predefined signature list Column SettingsEnable Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list Custom signatures IPS custom signaturesViewing the custom signature list Adding custom signatures using the CLI Custom signature configurationAdding custom signatures using the web-based manager Command syntax patternCreating custom signatures Custom signature fieldsShows the valid characters for custom signature fields Name BufferOverflow Custom signature syntaxAttackid SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern yahoo.com Pattern GETContext uri Context hostRegexdelimismxAEGRU PcreRegex/mdelim Uri !uristrProtocol tcp IP header keywords Keyword and Value DescriptionTCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12UDP header keywords Keyword and Value Description Icmp keywords Keyword and Value UsageOther keywords Keyword and Value Description Example 1 signature to block access to example.com Example custom signaturesSbid --name Block.example.com Sbid --name Block.example.com Example 2 signature to block the Smtp ‘vrfy’ command Sbid --name Block.SMTP.VRFY.CMDSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names PortIPS sensors AlldefaultAlldefaultpass Viewing the IPS sensor listProtectclient Configuring IPS sensorsAdding an IPS sensor ProtectemailserverIPS sensor attributes IPS sensor filtersIPS sensor overrides Configuring filtersReset Delete and Edit Delete or edit the filter IconsConfiguring pre-defined and custom overrides ApplicationExempt IP SourceDoS sensors Sequence in which the sensors examine network traffic Configuring DoS sensorsViewing the DoS sensor list Appears, and select OKName Enter or change the DoS sensor name Comments Anomaly configurationDoS sensor attributes Will appear in the DoS sensor listUnderstanding the anomalies Udpscan Anomaly Description TcpdstsessionUdpflood UdpsrcsessionUnderstanding the anomalies What is a SYN flood attack? SYN flood attacksHow SYN floods work FortiGate IPS Response to SYN flood attacks What is SYN threshold?What is SYN proxy? How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Configuring SYN flood protection Suggested settings for different network conditionsConfigure the options for tcpsynflood Select OK How Icmp sweep attacks work What is an Icmp sweep?Icmp sweep attacks FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User GuideTechnical support