Skip to main content
user2345312
user2345312
New Member
December 7, 2021
Question

I don't understand that significate the action "detected" in the type event name = ips

  • December 7, 2021
  • 2 replies
  • 13193 views

I have been thinking about it for several days and do not understand several things about IPS:

If the action detected by the IPS is of type "detected", does this mean that this action has been detected but the IPS has not blocked the action? What is the reason for this? Does the IPS works with signatures and, depending on the detection, does it perform a blocking action or not?

I would like to know these questions to get an idea of how the IPS works when it does not block the actions.

Note: I noticed that it is also associated according to the severity and cscore fields?

Example of log:

 

logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" eventtime=1638688278 severity="medium" action="detected" proto=6 service="HTTP" policyid=5 attack="Cross.Site.Scripting" direction="outgoing" attackid=17702 ref="http://www.fortinet.com/ids/VID17702" incidentserialno=1073380607 msg="web_app2: Cross.Site.Scripting," crscore=10 crlevel="medium"

 

Thank you, best regards.

 

2 replies

jdelafuente_FTNT
Staff & Editor
jdelafuente_FTNT
Staff & Editor
December 14, 2021

If the action detected by the IPS is of type "detected", does this mean that this action has been detected but the IPS has not blocked the action?

-- No block, just log created.

 

What is the reason for this?

-- To prevent false positives, incorrect blocking, to start checking if the environment is under what kind of attacks, for Proof of concept, in short, to know what happens in your network without using an invasive method that affects production, you can modify once the attack is confirmed. 

 

Does the IPS works with signatures and, depending on the detection, does it perform a blocking action or not? This is a "Default parameter" designed by Fortiguard, based on previous point.

 

Best Regards

    pavankr5
    Staff
    pavankr5
    Staff
    July 28, 2023

    Hello @user2345312 

    When the IPS logs show the action as "detected," it means the IPS has detected the presence of a potential threat based on the signature matching, but it did not take any immediate blocking action against that specific network traffic.

    In some cases, "detected" logs might be legitimate traffic or false positives.

    let us know if you have any queries.

     

    Thanks

     

     

    Terms & ConditionsAccessibility statement