Fortinet IPS manual Configuring pre-defined and custom overrides, Application

Page 43

 

 

IPS sensors

Configuring IPS sensors

Name

Enter or change the name of the IPS filter.

Severity

Select All, or select Specify and then one or more severity ratings.

 

Severity defines the relative importance of each signature. Signatures

 

rated critical detect the most dangerous attacks while those rated as

 

info pose a much smaller threat.

Target

Select All, or select Specify and then the type of systems targeted by the

 

attack. The choices are server or client.

OS

Select All, or Select Specify and then select one or more operating

 

systems that are vulnerable to the attack.

 

Signatures with an OS attribute of All affect all operating systems.

 

These signatures will be automatically included in any filter regardless

 

of whether a single, multiple, or all operating systems are specified.

Protocol

Select All, or select Specify to list what network protocols are used by

 

the attack. Use the Right Arrow to move the ones you want to include in

 

the filter from the Available to the Selected list, or the Left Arrow to

 

remove previously selected protocols from the filter.

Application

Select All, or select Specify to list the applications or application suites

 

vulnerable to the attack. Use the Right Arrow to move the ones you

 

want to include in the filter from the Available to the Selected list, or the

 

Left Arrow to remove previously selected protocols from the filter.

Enable

Select from the options to specify what the FortiGate unit will do with the

 

signatures included in the filter: enable all, disable all, or enable or

 

disable each according to the individual default values shown in the

 

signature list.

Logging

Select from the options to specify whether the FortiGate unit will create

 

log entries for the signatures included in the filter: enable all, disable all,

 

or enable or disable logging for each according to the individual default

 

values shown in the signature list.

Action

Select from the options to specify what the FortiGate unit will do with

 

traffic containing a signature match: pass all, block all, reset all, or block

 

or pass traffic according to the individual default values shown in the

 

signature list.

The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to “all” which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.

Configuring pre-defined and custom overrides

Pre-defined and custom overrides are configured and work mainly in the same way as filters. Unlike filters, each override defines the behavior of one signature.

Overrides can be used in two ways:

To change the behavior of a signature already included in a filter. For example, to protect a web server, you could create a filter that includes and enables all signatures related to servers. If you wanted to disable one of those signatures, the simplest way would be to create an override and mark the signature as disabled.

To add an individual signature, not included in any filters, to an IPS sensor. This is the only way to add custom signatures to IPS sensors.

When a pre-defined signature is specified in an override, the default status and action attributes have no effect. These settings must be explicitly set when creating the override.

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

43

Page 42 Page 44
Image 43
Page 42 Page 44
Contents E R G U I D E Trademarks Contents SYN flood attacks Protocol decodersIPS sensors DoS sensorsFortiGate IPS IntroductionTypographic conventions About this documentFortinet documentation Document conventionsFortiGate Pptp VPN User Guide Fortinet Knowledge Center Customer service and technical supportComments on Fortinet technical documentation IPS settings and controls IPS overview and general configurationThis section contains the following topics Config ips global Set fail-open enable disable end When to use IPSDefault signature and anomaly settings Default fail open settingControlling sessions Setting the buffer sizeConfiguring logging and alert email Monitoring the network and dealing with attacksAttack log messages Signature FortiGuard Center AnomalySelect Create New Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Adding protection profiles to firewall policiesAdding protection profiles to user groups Using IPS sensors in a protection profile IPS predefined signatures Predefined signaturesViewing the predefined signature list Clear All Filters SettingsEnable ColumnCreate a sensor and add IPS filters to it Viewing the predefined signature list IPS custom signatures Custom signaturesViewing the custom signature list Command syntax pattern Custom signature configurationAdding custom signatures using the web-based manager Adding custom signatures using the CLICustom signature fields Creating custom signaturesShows the valid characters for custom signature fields Srcport Custom signature syntaxAttackid Name BufferOverflowContent keywords Keyword and value Description Deprecated, see pattern and context keywords Context host Pattern GETContext uri Pattern yahoo.comUri !uristr PcreRegex/mdelim RegexdelimismxAEGRUIP header keywords Keyword and Value Description Protocol tcpTCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags APIcmp keywords Keyword and Value Usage UDP header keywords Keyword and Value DescriptionOther keywords Keyword and Value Description Example custom signatures Example 1 signature to block access to example.comSbid --name Block.example.com Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder listViewing the IPS sensor list AlldefaultAlldefaultpass IPS sensorsProtectemailserver Configuring IPS sensorsAdding an IPS sensor ProtectclientIPS sensor filters IPS sensor attributesDelete and Edit Delete or edit the filter Icons Configuring filtersReset IPS sensor overridesApplication Configuring pre-defined and custom overridesSource Exempt IPDoS sensors Appears, and select OK Configuring DoS sensorsViewing the DoS sensor list Sequence in which the sensors examine network trafficWill appear in the DoS sensor list Anomaly configurationDoS sensor attributes Name Enter or change the DoS sensor name CommentsUnderstanding the anomalies Udpsrcsession Anomaly Description TcpdstsessionUdpflood UdpscanUnderstanding the anomalies SYN flood attacks What is a SYN flood attack?How SYN floods work How IPS works to prevent SYN floods What is SYN threshold?What is SYN proxy? FortiGate IPS Response to SYN flood attacksIPS operation before synflood threshold is reached Suggested settings for different network conditions Configuring SYN flood protectionConfigure the options for tcpsynflood Select OK FortiGate IPS response to Icmp sweep attacks What is an Icmp sweep?Icmp sweep attacks How Icmp sweep attacks workPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide IndexTechnical support
Top Page Image Contents