Today's ever changing threat landscape drives the need for security services to constantly stay ahead of the latest threats. This means that security teams have to constantly update the IPS signatures that relate to latest and relevant threats to their specific organization. With new vulnerabilities and new malware being discovered every day, means that the security vendors have are creating new signatures every day to mitigate against the new threats. Every network is unique with its own traffic patterns and unique requirements and typically that means that most security teams test the signatures on their Intrusion Prevention Systems or Network Firewalls if they are using the consolidated IPS capability to ensure there is no adverse impact of the new signatures on their existing traffic in other terms trying to catch or minimize false positives.
Lets take a look at the features released in FortiOS 6.4.2 that deliver significant enhancements to the IPS workflows for monitoring signatures and reducing false positives.
FortiOS 6.4.2 release includes two new IPS Signature filter options:
The hold-time option allows you to set the amount of time that signatures are held after a FortiGuard IPS signature update per VDOM. During the holding period, the signature's mode is monitor. The new signatures are enabled after the hold-time, to avoid false positives. The hold-time can be from 0 days and 0 hours (default) up to 7 days, in the format ##d##h
How to enable Hold Time:
To configure the amount of time to hold and monitor IPS signatures:
config system ips
set signature-hold-time 3d12h
set override-signature-hold-by-id enable
This features allows security teams to optimize their workflows for new signatures as they are released and minimize the chances of a false positive trigger with the new signature, thereby eliminating any negative impact on the network by blocking any legitimate traffic and application.
The CVE pattern option allows you to filter IPS signatures based on CVE IDs or with a CVE wildcard, ensuring that any signatures tagged with that CVE are automatically included.
This feature enhances the response time of the security teams to respond to threats. With this capability they can quickly search based on the CVE ID what IPS signatures to turn on for a specific vulnerability.
How to Implement CVE Pattern
To configure CVE patterns for CVE-2010-0177 and all CVE-2017 CVEs:
config ips sensor
set comment "cve"
set cve "cve-2010-0177"
set status enable
set log-packet enable
set action block
set cve "cve-2017"
set action reset