Skip to main content
Jkaural
Staff
Jkaural
Staff
March 11, 2025

Technical Tip: IPS Signatures are not validating each subsequent communications between Client-Server

  • March 11, 2025
  • 0 replies
  • 580 views

 

Description

The article describes the behavior of IPS Signatures, which do not validate each subsequent communication between the client and server.
Scope FortiGate, IPS Signature validation.
Solution

During the session creation, each traffic is validated against the IPS Signature. However, For the existing session, IPS signatures are aggregated.

 

Scenario 1: IPS Signature validation for the new session.

 

date=2024-11-08 time=14:09:51 eventtime=1731092991646136339 tz="-0500" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="test" severity="critical" srcip=172.19.11.66 srccountry="Reserved" dstip=172.19.32.66 dstcountry="Reserved" srcintf="port13.604" srcintfrole="lan" dstintf="port10.704" dstintfrole="lan" sessionid=7966919 action="detected" proto=6 service="HTTP" policyid=1 poluuid="bae3ca8c-19d8-51ee-0609-bc55cb8a8faf" policytype="policy" attack="Test-Server_Server_Validation" srcport=41408 dstport=80 hostname="server284" url="/downloads/eicar.txt" agent="curl/7.29.0" httpmethod="GET" direction="incoming" attackid=6499 profile="IPS_Testing_Signatures" incidentserialno=207626992 msg="custom: Test-Server_Server_Validation" crscore=50 craction=4096 crlevel="critical"

 

date=2024-11-08 time=14:09:51 eventtime=1731092991645622014 tz="-0500" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="test" severity="critical" srcip=172.19.11.66 srccountry="Reserved" dstip=172.19.32.66 dstcountry="Reserved" srcintf="port13.604" srcintfrole="lan" dstintf="port10.704" dstintfrole="lan" sessionid=7966919 action="detected" proto=6 service="HTTP" policyid=1 poluuid="bae3ca8c-19d8-51ee-0609-bc55cb8a8faf" policytype="policy" attack="Test-Client_Tunnel_Validation" srcport=41408 dstport=80 hostname="server284" url="/downloads/eicar.txt" agent="curl/7.29.0" httpmethod="GET" direction="outgoing" attackid=5371 profile="IPS_Testing_Signatures" incidentserialno=207626991 msg="custom: Test-Client_Tunnel_Validation" crscore=50 craction=4096 crlevel="critical"

 

The above logs show traffic is validated against Custom IPS Signature.

 

Scenario 2: IPS Signature validation for the existing session.

 

date=2024-11-08 time=14:08:23 eventtime=1731092903851309105 tz="-0500" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="test" severity="critical" srcip=172.19.11.66 srccountry="Reserved" dstip=172.19.32.66 dstcountry="Reserved" srcintf="port13.604" srcintfrole="lan" dstintf="port10.704" dstintfrole="lan" sessionid=7966829 action="detected" proto=6 service="HTTP" policyid=1 poluuid="bae3ca8c-19d8-51ee-0609-bc55cb8a8faf" policytype="policy" attack="Test-Server_Server_Validation" srcport=41406 dstport=80 direction="incoming" attackid=6499 profile="IPS_Testing_Signatures" incidentserialno=207626990 msg="custom: Test-Server_Server_Validation" crscore=50 craction=4096 crlevel="critical"

 

date=2024-11-08 time=14:08:17 eventtime=1731092897759689233 tz="-0500" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="test" severity="critical" srcip=172.19.11.66 srccountry="Reserved" dstip=172.19.32.66 dstcountry="Reserved" srcintf="port13.604" srcintfrole="lan" dstintf="port10.704" dstintfrole="lan" sessionid=7966829 action="detected" proto=6 service="HTTP" policyid=1 poluuid="bae3ca8c-19d8-51ee-0609-bc55cb8a8faf" policytype="policy" attack="Test-Server_Server_Validation" srcport=41406 dstport=80 hostname="server284" url="/downloads/eicar.txt" agent="python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1062.4.1.el7.x86_64" httpmethod="GET" direction="incoming" attackid=6499 profile="IPS_Testing_Signatures" incidentserialno=207626988 msg="custom: Test-Server_Server_Validation" crscore=50 craction=4096 crlevel="critical"

 

date=2024-11-08 time=14:08:17 eventtime=1731092897759083950 tz="-0500" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="test" severity="critical" srcip=172.19.11.66 srccountry="Reserved" dstip=172.19.32.66 dstcountry="Reserved" srcintf="port13.604" srcintfrole="lan" dstintf="port10.704" dstintfrole="lan" sessionid=7966829 action="detected" proto=6 service="HTTP" policyid=1 poluuid="bae3ca8c-19d8-51ee-0609-bc55cb8a8faf" policytype="policy" attack="Test-Client_Tunnel_Validation" srcport=41406 dstport=80 hostname="server284" url="/downloads/eicar.txt" agent="python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1062.4.1.el7.x86_64" httpmethod="GET" direction="outgoing" attackid=5371 profile="IPS_Testing_Signatures" incidentserialno=207626987 msg="custom: Test-Client_Tunnel_Validation" crscore=50 craction=4096 crlevel="critical"

 

The logs indicate that when a session already exists, the IPS (Intrusion Prevention System) combines multiple triggers for the same signature. This helps improve performance by reducing processing.

 

      Terms & ConditionsAccessibility statement