Skip to main content
JEHOE
JEHOE
New Member
April 11, 2012
Question

detected IPS event but what action is done ?

  • April 11, 2012
  • 3 replies
  • 14274 views
HI, I have setup IPS for some testing. The IPS sensor is configured to use the signature default setting for the activity. It seems working well and I get some allerts. like date=2012-04-11 time=05:18:21 device_id=FG300Bxxxx log_id=16384 subtype=signature type=ips pri=alert itime=1334117901 cluster_id=FG300Bxxxx_CID severity=low src=176.9.xxx.xxx dst=192.168.xxx.xxx src_int=port1 dst_int=port7 policyid=123 identidx=0 serial=413445455 status=detected proto=6 service=http vd=xxxA count=1 src_port=50830 dst_port=80 attack_id=11319 sensor=all_default ref=http://www.fortinet.com/ids/VID11319 incident_serialno=302083983 msg=" web_app: PHP.PEAR.XMLRPC.Code.Injection" carrier_ep=N/A profile=N/A user=N/A group=N/A profiletype=N/A profilegroup=N/A attack_name=N/A I was surprised not to see what action was done in this special case. So I searched the predefined signature to check what was defined. But also if I searched for " PHP.PEAR.XMLRPC.Code.Injection" in the predefined signature I did found nothing. Where to check what action done in this case. (pass/block) Any hint is welcome. Thanks Jens

    3 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 11, 2012
    status=detected
    says it all: the attack was detected and logged, the traffic passed. Blocked traffic is ' status=dropped' .
    JEHOE
    JEHOEAuthor
    New Member
    April 16, 2012
    Hello Ede, many thanks. As I had up to now only status detected, I wasn' t aware that this will changed to drop if this is blocked. BTW: do you have any idea why it is detect but this special type isn' t seen in the predefined signature? Thanks Jens
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 16, 2012
    From the message logged I read that you are using the " all_default" sensor. Be aware that this includes ' action=drop' as this sensor' s action is set to ' default' . What the default action is for each signature can be found when browsing the Predefined signatures. Some have ' action=pass' but some have ' action=drop' . For monitoring only, you can use the ' all_default_pass' predefined sensor. As the ' all_default' sensor comprises over 7.000 signatures it would make sense to quickly create a custom sensor to only included relevant signatures. If you really have a web server on port 7 then the category ' server' would be suited, but ' client' would not.
    JEHOE
    JEHOEAuthor
    New Member
    April 23, 2012
    Hello Ede, you are right. I should optimize the signature only to that what is behind this access. So Server and the OS selection should help to limit the numbers of signaures that would be checked in case of access. Have not yet done so for my initial review. From performance side I have not seen something negative by checking all signatures. But you mention one of my problems. As I don' t find the detected signature with that name " PHP.PEAR.XMLRPC.Code.Injection" in the big list I don' t see what would be the default action. YOu have some ideas how to find that ? Thanks Jens
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 23, 2012
    By all means, the default action is ' detect' as you didn' t (and couldn' t) select a different action, for a signature you don' t have in the list.
    Terms & ConditionsAccessibility statement