Network Intrusion Detection System (NIDS)

Logging attacks

 

 

The FortiGate unit uses an alert email queue in which each new message is compared with the previous messages. If the new message is not a duplicate, the FortiGate unit sends it immediately and puts a copy in the queue. If the new message is a duplicate, the FortiGate unit deletes it and increases an internal counter for the number of message copies in the queue.

The FortiGate unit holds duplicate alert email messages for 60 seconds. If a duplicate message has been in the queue for more than 60 seconds, the FortiGate unit deletes the message and increases the copy number. If the copy number is greater than 1, the FortiGate unit sends a summary email that includes “Repeated x times” in the subject header, the statement “The following email has been repeated x times in the last y seconds”, and the original message.

Manual message reduction

If you want to reduce the number of alerts that the NIDS generates, you can review the content of attack log messages and alert email. If a large number of the alerts are nuisance alerts (for example, web attacks when you are not running a web server), you can disable the signature group for that attack type. Use the ID number in the attack log or alert email to locate the attack in the signature group list. See “Disabling NIDS attack signatures” on page 272.

FortiGate-800 Installation and Configuration Guide

277

Page 277
Image 277
Fortinet FortiGate-800 manual Manual message reduction, 277