Description
This article disccusses IPS signature filter options added with Hold time and CVE pattern.
Scope
FortiGate v6.4.2.
Solution
Hold Time.
- The hold-time option allows you to set the amount of time that signatures are held after a FortiGuard IPS signature update per VDOM.
- During the holding period, the signature's mode is monitor.
- The new signatures are enabled after the hold-time, to avoid false positives.
- The hold-time can be from 0 days and 0 hours (default) up to 7 days, in the format ##d##h.
- Note: In FortiOS 7.6.3, the maximum signature-hold-time is up to 21 days, in the format ##d##h.
To configure the amount of time to hold and monitor IPS signatures.
config system ips
set signature-hold-time 3d12h
set override-signature-hold-by-id enable
end
When a signature that is on hold is matched, the log will include the message signature is on hold.
date=2010-07-06 time=00:00:57 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" eventtime=1278399657778481842 tz="-0700" severity="info" srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" sessionid=3620 action="detected" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=52170 dstport=80 hostname="172.16.200.55" url="/virus/eicar" direction="incoming" attackid=29844 profile="test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=25165825 msg="file_transfer: Eicar.Virus.Test.File, (signature is on hold)"
To view signatures being held by rule ID 29844 on the vd1 VDOM.
diagnose ips signature on-hold vd1 29844
Rule: 29844, attack_id: 58886, last updated: 20170411
Rule: 29844, attack_id: 59517, last updated: 20170411
Rule: 29844, attack_id: 60105, last updated: 20170411
To view all held signatures on the vd1 VDOM.
diagnose ips signature on-hold vd1
Rule: 17541, attack_id: 20899, last updated: 20140423
Rule: 17557, attack_id: 20934, last updated: 20140423
Rule: 17559, attack_id: 20932, last updated: 20140423
Rule: 17560, attack_id: 20933, last updated: 20140423
Rule: 17562, attack_id: 20928, last updated: 20170908
Rule: 17677, attack_id: 21187, last updated: 20171106
Rule: 17713, attack_id: 43756, last updated: 20140424
Rule: 17759, attack_id: 21298, last updated: 20140423
...
CVE pattern.
The CVE pattern option allows you to filter IPS signatures based on CVE IDs or with a CVE wildcard, ensuring that any signatures tagged with that CVE are automatically included.
To configure CVE patterns for CVE-2010-0177 and all CVE-2017 CVEs.
config ips sensor
edit "cve"
set comment "cve"
config entries
edit 1
set cve "cve-2010-0177"
set status enable
set log-packet enable
set action block
next
edit 2
set cve "cve-2017"
set action reset
next
end
next
end
For example, the CVE of the IPS signature Mozilla.Firefox.PluginArray.NsMimeType.Code.Execution is CVE-2010-0177. This matches the CVE filter in the IPS sensor, so traffic is blocked and logged.
date=2020-07-13 time=15:44:56 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" eventtime=1594593896666145871 tz="-0700" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=1638 action="dropped" proto=6 service="HTTPS" policyid=1 attack="Mozilla.Firefox.PluginArray.NsMimeType.Code.Execution" srcport=58298 dstport=443 hostname="172.16.200.55" url="/Mozilla" direction="incoming" attackid=20853 profile="sensor-1" ref="http://www.fortinet.com/ids/VID20853" incidentserialno=124780667 msg="web_client: Mozilla.Firefox.PluginArray.NsMimeType.Code.Execution," crscore=50 craction=4096 crlevel="critical"
