Skip to main content
A
Anonymous_User
Contributor
March 1, 2005
Question

" Best" action when intrusion detected?

  • March 1, 2005
  • 3 replies
  • 17449 views
Hi there i read that the best action to configure when a intrusion is detected is " clear session" . Because it clears the incoming traffic and on the other side there is no response to the guy who started this attack, or whatever. (read this in the knowledge base)

    3 replies

    A
    Anonymous_UserAuthor
    Contributor
    March 2, 2005
    that depends what category you are going to use, recently we had this people attacking us on the smtp, then we decided to use drop session then clear session to try to solved the problem, the result was kind of disapointed, it caused a mail loop which I have to call other guys to pull the mail that was caught in the loop.
    A
    Anonymous_UserAuthor
    Contributor
    March 8, 2005
    Could anyone show me to some material to read? Especially the differences of Drop and Clear as well as drop and clear session. In the Fortigate Help file it is mentioned that you should not drop sessions with tcp, why is that? Does anyone have a more restrictive list of recommendations for the IPS signatures than Fortigate Default, which is pass in the majority of cases. Thx, Alex
    A
    Anonymous_UserAuthor
    Contributor
    March 8, 2005
    -Pass The FortiGate unit lets the packet that triggered the signature pass through the firewall. If logging is disabled and action is set to Pass, the signature is effectively disabled. --- note --- The rule is disabled, so there is no scanning action for that type of event. It is useless to scan for specific attacks if you don' t have that specific type of server. So if you don' t have a ISS that is running, don' t scan for ISS type of attacks However I think that some attacks can be give problems even if you don' t have that kind of server. And that Fortinet sets an action to those -Drop The FortiGate unit drops the packet that triggered the signature. Fortinet recommends using an action other than Drop for TCP connection based attacks. --- note ---- Could it be that the fortinet keeps the session active in the session table. If you keep dropping packets the session table will grow ? - Reset The FortiGate unit drops the packet that triggered the signature, sends a reset to both the client and the server, and removes the session from the FortiGate session table. Used for TCP connections only. If you set this action for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset action is triggered before the TCP connection is fully established it acts as Clear Session. - Reset Client The FortiGate unit drops the packet that triggered the signature, sends a reset to the client, and removes the session from the FortiGate session table. Used for TCP connections only. If you set this action for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset Client action is triggered before the TCP connection is fully established it acts as Clear Session. - Reset Server The FortiGate unit drops the packet that triggered the signature, sends a reset to the server, and removes the session from the FortiGate session table. Used for TCP connections only. If you set this action for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset Server action is triggered before the TCP connection is fully established it acts as Clear Session. - Drop Session The FortiGate unit drops the packet that triggered the signature and drops any other packets in the same session. - Clear Session The FortiGate unit drops the packet that triggered the signature, removes the session from the FortiGate session table, and does not send a reset. - Pass Session The FortiGate unit lets the packet that triggered the signature and all other packets in the session pass through the firewall.
    A
    Anonymous_UserAuthor
    Contributor
    March 8, 2005
    Thx for the quick reply. The argument with the session table seems plausible. I have read that help file, but the explanation is rather short and does not really explain the different actions depending on the signature. I am not sure when to reset and when to drop. I guess reset means I give some kind of reply while to some attacks it would be better to drop everything and just remain silent. In the fortigate database recommended actions are completely different than default values on the machine. 2.8 build 292 Is there an opportunity to download the settings and upload a config file for IPS? The web interface is a a pain i. t.. a.. and the console is not to plausible to me. Even when using tab to complete the signature names that lasts even longer than doing it via the web. Thx for further enlightenment, Alex
    A
    Anonymous_UserAuthor
    Contributor
    March 28, 2005
    I couldn' t agree with you more regarding when to drop, clear etc. No method to backup/restore any IPS predefined signatures. What is the URL of the Fortigate recommendations ?
    Terms & ConditionsAccessibility statement