DoS sensor attributes, Anomaly configuration | Fortinet IPS specification


DoS sensors	Configuring DoS sensors

Figure 13: Edit DoS Sensor

DoS sensor attributes:

Name	Enter or change the DoS sensor name.
Comments	Enter or change an optional description of the DoS sensor. This description
	will appear in the DoS sensor list.

Anomaly configuration:

Name	The name of the anomaly.
Enable	Select the check box to enable the DoS sensor to detect when the
	specified anomaly occurs. Selecting the check box in the header row will
	enable sensing of all anomalies.
Logging	Select the check box to enable the DoS sensor to log when the anomaly
	occurs. Selecting the check box in the header row will enable logging for all
	anomalies. Anomalies that are not enabled are not logged.
Action	Select Pass to allow anomalous traffic to pass when the FortiGate unit
	detects it, or set Block to prevent the traffic from passing.
Threshold	Displays the number of sessions/packets that must show the anomalous
	behavior before the FortiGate unit triggers the anomaly action (pass or
	block). If required, change the number. For more information about how
	these settings affect specific anomalies, see Table 10 on page 48.

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916	47

Image 47

Fortinet IPS DoS sensor attributes, Anomaly configuration, Name Enter or change the DoS sensor name Comments, Threshold

Contents

E R G U I D E Trademarks Contents SYN flood attacks Protocol decodersIPS sensors DoS sensors FortiGate IPS Introduction Typographic conventions About this documentFortinet documentation Document conventions FortiGate Pptp VPN User Guide Comments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center This section contains the following topics IPS overview and general configurationIPS settings and controls Config ips global Set fail-open enable disable end When to use IPSDefault signature and anomaly settings Default fail open setting Controlling sessions Setting the buffer sizeConfiguring logging and alert email Monitoring the network and dealing with attacks Attack log messages Signature FortiGuard Center Anomaly Select Create New Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Adding protection profiles to firewall policies Adding protection profiles to user groups Using IPS sensors in a protection profile Viewing the predefined signature list Predefined signaturesIPS predefined signatures Clear All Filters SettingsEnable Column Create a sensor and add IPS filters to it Viewing the predefined signature list Viewing the custom signature list Custom signaturesIPS custom signatures Command syntax pattern Custom signature configurationAdding custom signatures using the web-based manager Adding custom signatures using the CLI Shows the valid characters for custom signature fields Creating custom signaturesCustom signature fields Srcport Custom signature syntaxAttackid Name BufferOverflow Content keywords Keyword and value Description Deprecated, see pattern and context keywords Context host Pattern GETContext uri Pattern yahoo.com Uri !uristr PcreRegex/mdelim RegexdelimismxAEGRU IP header keywords Keyword and Value Description Protocol tcp TCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags AP Other keywords Keyword and Value Description UDP header keywords Keyword and Value DescriptionIcmp keywords Keyword and Value Usage Sbid --name Block.example.com Example 1 signature to block access to example.comExample custom signatures Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD --pattern vrfy Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD Creating custom signatures Upgrading the IPS protocol decoder list Protocol decodersProtocol decoders Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder list Viewing the IPS sensor list AlldefaultAlldefaultpass IPS sensors Protectemailserver Configuring IPS sensorsAdding an IPS sensor Protectclient IPS sensor filters IPS sensor attributes Delete and Edit Delete or edit the filter Icons Configuring filtersReset IPS sensor overrides Application Configuring pre-defined and custom overrides Source Exempt IP DoS sensors Appears, and select OK Configuring DoS sensorsViewing the DoS sensor list Sequence in which the sensors examine network traffic Will appear in the DoS sensor list Anomaly configurationDoS sensor attributes Name Enter or change the DoS sensor name Comments Understanding the anomalies Udpsrcsession Anomaly Description TcpdstsessionUdpflood Udpscan Understanding the anomalies How SYN floods work What is a SYN flood attack?SYN flood attacks How IPS works to prevent SYN floods What is SYN threshold?What is SYN proxy? FortiGate IPS Response to SYN flood attacks IPS operation before synflood threshold is reached Configure the options for tcpsynflood Select OK Configuring SYN flood protectionSuggested settings for different network conditions FortiGate IPS response to Icmp sweep attacks What is an Icmp sweep?Icmp sweep attacks How Icmp sweep attacks work Predefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide Index Technical support