Fortinet IPS - page 49

DoS sensors Understanding the anomalies

FortiGate IPS User Guide Version 3.0 MR7

01-30007-0080-20080916 49

tcp_dst_session If the number of concurrent TCP connections to one destination IP

address exceeds the configured threshold value, the action is

executed.

udp_flood If the UDP traffic to one destination IP address exceeds the

configured threshold value, the action is executed. The threshold is

expressed in packets per second.

udp_scan If the number of UDP sessions originating from one source IP

address exceeds the configured threshold value, the action is

executed. The threshold is expressed in packets per second.

udp_src_session If the number of concurrent UDP connections from one source IP

address exceeds the configured threshold value, the action is

executed.

udp_dst_session If the number of concurrent UDP connections to one destination IP

address exceeds the configured threshold value, the action is

executed.

icmp_flood If the number of ICMP packets sent to one destination IP address

exceeds the configured threshold value, the action is executed.

The threshold is expressed in packets per second.

icmp_sweep If the number of ICMP packets originating from one source IP

address exceeds the configured threshold value, the action is

executed. The threshold is expressed in packets per second.

icmp_src_session If the number of concurrent ICMP connections from one source IP

address exceeds the configured threshold value, the action is

executed.

icmp_dst_session If the number of concurrent ICMP connections to one destination

IP address exceeds the configured threshold value, the action is

executed.

Anomaly Description

Contents

Main Page Contents IPS overview and general configuration.......................................... 9 Predefined signatures ..................................................................... 17 Custom signatures........................................................................... 21 Protocol decoders ........................................................................... 37 DoS sensors..................................................................................... 45 SYN flood attacks ............................................................................ 51 ICMP sweep attacks......................................................................... 55 Introduction The FortiGate IPS About this document Document conventions Typographic conventions ! Page Fortinet Knowledge Center Comments on Fortinet technical documentation Customer service and technical support IPS overview and general configuration The FortiGate IPS IPS settings and controls When to use IPS Network performance Default signature and anomaly settings Default fail open setting Controlling sessions Setting the buffer size Monitoring the network and dealing with attacks Configuring logging and alert email Attack log messages Signature Anomaly The FortiGuard Center Using IPS sensors in a protection profile Creating a protection profile that uses IPS sensors Adding protection profiles to firewall policies Page Page Predefined signatures IPS predefined signatures Viewing the predefined signature list Fine tuning IPS predefined signatures for enhanced system performance Page Page Custom signatures IPS custom signatures Viewing the custom signature list Custom signature configuration Adding custom signatures using the web-based manager Adding custom signatures using the CLI Command syntax pattern Creating custom signatures Custom signature fields Custom signature syntax --attack_id 1234; ---name "Buffer_Overflow"; --src_port 41523; --flow bi_direction; Page Page Page Page --protocol tcp; Page --tcp_flags AP tcp_flags S,12 Page Example custom signatures Example 1: signature to block access to example.com Page Example 2: signature to block the SMTP vrfy command Page Protocol decoders Protocol decoders Upgrading the IPS protocol decoder list Page IPS sensors Viewing the IPS sensor list Adding an IPS sensor Configuring IPS sensors IPS sensor attributes: IPS sensor filters: IPS sensor overrides: Configuring filters Configuring pre-defined and custom overrides Page DoS sensors Viewing the DoS sensor list Configuring DoS sensors DoS sensor attributes: Anomaly configuration: Understanding the anomalies Page Page SYN flood attacks What is a SYN flood attack? How SYN floods work The FortiGate IPS Response to SYN flood attacks What is SYN threshold? What is SYN proxy? How IPS works to prevent SYN floods Page Configuring SYN flood protection Suggested settings for different network conditions ICMP sweep attacks What is an ICMP sweep? How ICMP sweep attacks work The FortiGate IPS response to ICMP sweep attacks Predefined ICMP signatures Tabl e 11 describes all the ICMP-related predefined signatures and the default settings for each. ICMP sweep anomalies Configuring ICMP sweep protection Suggested settings for different network conditions Index A C D F