Understanding the anomalies | Fortinet IPS manual

Understanding the anomalies

DoS sensors

	FortiGate IPS User Guide Version 3.0 MR7
50	01-30007-0080-20080916

Image 50

Fortinet IPS manual Understanding the anomalies

Contents

E R G U I D E Trademarks Contents DoS sensors Protocol decodersIPS sensors SYN flood attacks Introduction FortiGate IPS Document conventions About this documentFortinet documentation Typographic conventions FortiGate Pptp VPN User Guide Comments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center This section contains the following topics IPS overview and general configurationIPS settings and controls Default fail open setting When to use IPSDefault signature and anomaly settings Config ips global Set fail-open enable disable end Monitoring the network and dealing with attacks Setting the buffer sizeConfiguring logging and alert email Controlling sessions Attack log messages Signature Anomaly FortiGuard Center Adding protection profiles to firewall policies Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Select Create New Adding protection profiles to user groups Using IPS sensors in a protection profile Viewing the predefined signature list Predefined signaturesIPS predefined signatures Column SettingsEnable Clear All Filters Create a sensor and add IPS filters to it Viewing the predefined signature list Viewing the custom signature list Custom signaturesIPS custom signatures Adding custom signatures using the CLI Custom signature configurationAdding custom signatures using the web-based manager Command syntax pattern Shows the valid characters for custom signature fields Creating custom signaturesCustom signature fields Name BufferOverflow Custom signature syntaxAttackid Srcport Content keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern yahoo.com Pattern GETContext uri Context host RegexdelimismxAEGRU PcreRegex/mdelim Uri !uristr Protocol tcp IP header keywords Keyword and Value Description TCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12 Other keywords Keyword and Value Description UDP header keywords Keyword and Value DescriptionIcmp keywords Keyword and Value Usage Sbid --name Block.example.com Example 1 signature to block access to example.comExample custom signatures Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD --pattern vrfy Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD Creating custom signatures Upgrading the IPS protocol decoder list Protocol decodersProtocol decoders Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names Port IPS sensors AlldefaultAlldefaultpass Viewing the IPS sensor list Protectclient Configuring IPS sensorsAdding an IPS sensor Protectemailserver IPS sensor attributes IPS sensor filters IPS sensor overrides Configuring filtersReset Delete and Edit Delete or edit the filter Icons Configuring pre-defined and custom overrides Application Exempt IP Source DoS sensors Sequence in which the sensors examine network traffic Configuring DoS sensorsViewing the DoS sensor list Appears, and select OK Name Enter or change the DoS sensor name Comments Anomaly configurationDoS sensor attributes Will appear in the DoS sensor list Understanding the anomalies Udpscan Anomaly Description TcpdstsessionUdpflood Udpsrcsession Understanding the anomalies How SYN floods work What is a SYN flood attack?SYN flood attacks FortiGate IPS Response to SYN flood attacks What is SYN threshold?What is SYN proxy? How IPS works to prevent SYN floods IPS operation before synflood threshold is reached Configure the options for tcpsynflood Select OK Configuring SYN flood protectionSuggested settings for different network conditions How Icmp sweep attacks work What is an Icmp sweep?Icmp sweep attacks FortiGate IPS response to Icmp sweep attacks Predefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User Guide Technical support