Skip to main content
A
Anonymous_User
Contributor
July 23, 2004
Question

NIDS Detection

  • July 23, 2004
  • 5 replies
  • 3959 views
When I go through my log files on my Fortinet 60, the logs show that " the following intrusion was observed" . Does this mean that it didn' t stop the intrusion?

    5 replies

    UkWizard
    UkWizard
    New Member
    July 23, 2004
    Possibly, there are some that are prevented, some that arnt. Look the particular one up in the gui.
    A
    Anonymous_UserAuthor
    Contributor
    July 23, 2004
    So if I look it up in the web GUI and it is listed under the detection tab, it is not prevented, is that correct?
    UkWizard
    UkWizard
    New Member
    July 23, 2004
    Yes, hence the different " protection" and " detection" sections ....
    UkWizard
    UkWizard
    New Member
    July 23, 2004
    actually i should add, the firewall would obviously still act like a firewall regardless of this. So if its an incoming intrusion, then (presuming you have no incoming allow all rule) it will still drop the traffic. But if its a detected signature over an open port like over port 80, http to your webserver, then no it wont be stopped
    A
    Anonymous_UserAuthor
    Contributor
    July 23, 2004
    Alright that clears things up so when it logs items such as: The following intrusion was observed: sql: Slammer[Reference: http://www.fortinet.com/ids/ID287178790] Interface-wan1: UDP 195.129.56.1:2280 -> **.***.**.***:1434 . And port 1434 is not open then it will automatically be dropped, is that about right? Thanks again.
    UkWizard
    UkWizard
    New Member
    July 23, 2004
    yes thats correct, this is what a firewalls job is. the intrusions are just add-ons to prevent specific attacks or to alert you of attacks. I take it from this you have seen the slammer alerts then, this is totally normal. Every site i have installed so far, usually sees the slammer alerts as the first attempt usually within an hour as well. Stupid really, as this attack is ages old now, and youd thought the sender would have noticed by now.
    A
    Anonymous_UserAuthor
    Contributor
    August 16, 2004
    Another way I do it is add a DENY policy at the bottom of the interface pair and turn on logging for the DENY policy. This way I get notified when packets are being dropped. This can get messy on the external interface on the internet if you don' t have some sort of data consentrator but I find it works fine on other interface... I also found a few computers trying to do things they shouldn' t be trying...
    Terms & ConditionsAccessibility statement