Skip to main content
FortiAdam
FortiAdam
New Member
June 24, 2015
Question

IPS Signatures set to disabled status by default

  • June 24, 2015
  • 2 replies
  • 15031 views

Does anyone know the reasoning behind FortiGuard having a IPS signature set to disabled by default?  If anyone has suggestions for finding other signatures that are set to disabled by default I would be interested to hear your ideas.  I'm under the impression I can override this default by configuring my entries in the IPS profile to set all signature to enable instead of their default but I still haven't verified that it works. 

Example of signature set to disabled by default:

 
 
 
 
 
 
 
FG100DXXXXXX # conf ips rule SSH.Connection.Brute.Force: 
 
 
 
 
 
 
 
FG100DXXXXXX (SSH.Connection.B~rce) # get
name : SSH.Connection.Brute.Force 
status : disable 
log : enable 
log-packet : disable 
action : pass 
group : remote_access 
severity : high
location : server
os : All
application : Other
service : TCP, SSH
rule-id : 35662
rev : 4.360
date : 1405515600
 
 
 
 
 
 
 
Example of sig set to enabled by default:
 
 
 
 
 
 
 
FG100Dxxxxx # conf ips rule SSLv2.Get.Shared.Ciphers.Overflow
 
 
 
 
 
 
 
FG100Dxxxxx (SSLv2.Get.Shared~low) # get
name : SSLv2.Get.Shared.Ciphers.Overflow 
status : enable 
log : enable 
log-packet : disable 
action : block 
group : misc 
severity : medium
location : server
os : Windows, Linux, BSD, Solaris, MacOS
application : Other
service : TCP
rule-id : 15023
rev : 2.567
date : 1398258000
 
 
 
 
 
 
 
Setting all signatures in IPS sensor to enabled instead of taking default:
config ips sensor
 
edit default
 
config entries
 
edit 1
set status enable (default setting is to take signature default)
end
end
2 replies
Paul_S
Paul_S
New Member
June 24, 2015
What FortiOS version?
 
On 5.2 some IPS signatures a not the normal kind. They are rate specific. The exampled you showed is one of those types. They are all disabled unless you enable them and set the rate threshold. It is not enabled, because every environment will probably want a different threshold.
 
i've attached a picture from the GUI which makes it more clear how the signature works.
FortiAdam
FortiAdamAuthor
New Member
June 24, 2015
I actually discovered this while doing some testing with 5.2 but I am interested in using the rate based signatures in my 5.0 production environment.  
 
I don't understand why a signature like this one "SSH.Connection.Brute.Force" (ID 35662) ins't enabled by default.  The FortiGuard encyclopedia states that it should trigger on a rate of 200 in 10 seconds.  Not sure what the concern is there as the default action is pass anyway.  
 
I can create a new entry in my IPS sensor profile and apply a specific rate to it (yes even in 5.0) but that still doesn't answer my question as to why Fortinet has these sigs disabled by default.  I still would like a way to be able to find other sigs that are disabled by default too.  I assume it is all the rate based ones but who's to say there isn't more?
rajanaik
rajanaik
New Member
May 28, 2020
how do I set specific signatures to disable state from GUI ?
 
This is considering the requirement as "signatures not application to some environment" 
 
Thanks in advance.
 

        
                                                

        

    


            

                                        

            
                        

                                                                                                            
            






        

                    

    
    





    


                                        

                                                        

            
        
    






                                    
Terms & ConditionsAccessibility statement