Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mricardez
Staff
Staff

Created on ‎03-02-2023 09:23 PM Edited on ‎12-17-2024 07:20 AM By Moderator

Article Id 247937

Troubleshooting Tip: Identify the IPS signature matching context

Description This article describes how to troubleshoot the IPS signature matching which can give visibility of triggered IPS alerts.
Scope FortiGate, IPS.
Solution

When the UTM IPS profile is enabled in the firewall policies, it is possible to start receiving IPS logs without having an understanding of the reason for the signature trigger matching.

 

mricardez_0-1677778333695.png

 

To have further details of traffic that matches a signature, it is possible to enable the following options in order to troubleshoot/gather information and identify if the IPS matching is a false positive situation.

 

config ips sensor
    edit {sensor name} <- The IPS sensor used in the firewall policy.
        config entries
            edit {an integer ID} <- Use ? here to find which ones are in use.

                set rule {51006} <- Attack ID which can be obtained from the log details.  For instance, 51006 is the rule ID for 'Apache.Log4j.Error.Log.Remote.Code.Execution'.
                set log enable

set log-attack-context enable <- set attack context log to enable                

set log-packet enable

set action <- block or pass            

next

 

  • log-packet: Enable saving the packet that triggers the filter. It is possible to download the packets in PCAP format for diagnostic use.
  • log-attack-context: The attack context field contains all the matched patterns as well as the URI+HEADER+BODY+entire packet buffer. The content of this field is encoded in base64 but once decrypted should show more information on the detection.

 

The log-attack-context gives visibility of triggered IPS alert but without complete payload and the log-packet will allow getting complete payload on IPS alert.

It is possible to download the packets in PCAP format for diagnostic use.


WARNING:

Use with caution, as these options consume a lot of resources and are used when troubleshooting an IPS match. After troubleshooting, it must be disabled.

 

From the IPS log, It is possible to get the IPS Attack ID. In this example, the lab ID is 51006.

 mricardez_1-1677778815733.png

 

To avoid a considerable consumption of resources, create an entry on top of the specific Attack ID into the IPS sensor to reduce the amount of log matching as much as possible.

 

mricardez_2-1677779356003.png

 

Set on top of the new entry to have higher precedence during the matching decision.

 

mricardez_3-1677779396818.png

 

With the CLI, enable log, log-packet, and log-packet-context to the entry which contains the specific Attack-ID (51006).

 

mricardez_4-1677779644910.png

 

The next IPS log matching will contain the Attack Context and the Archived Data.

 

mricardez_0-1677780887656.png

 

Using a base64 utility in Linux to decode the string will show the matching pattern of the IPS signature.

 

mricardez_1-1677781006107.png

 

From the Archived Data tab, it is possible to download the PCAP file.

 

mricardez_0-1677781172346.png

 

Using Wireshark, it is possible to analyze the header and payload of the packet IPS signature match. 

 

mricardez_2-1677781325323.png

 

Related article:

Troubleshooting Tip: Using the FortiOS policy based packet capture
4787
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.