Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiAdam
Contributor II

IPS Signatures set to disabled status by default

Does anyone know the reasoning behind FortiGuard having a IPS signature set to disabled by default?  If anyone has suggestions for finding other signatures that are set to disabled by default I would be interested to hear your ideas.  I'm under the impression I can override this default by configuring my entries in the IPS profile to set all signature to enable instead of their default but I still haven't verified that it works. 

Example of signature set to disabled by default:

 

 

 

FG100DXXXXXX # conf ips rule SSH.Connection.Brute.Force: 

 

 

 

FG100DXXXXXX (SSH.Connection.B~rce) # get
name : SSH.Connection.Brute.Force
status : disable
log : enable
log-packet : disable
action : pass
group : remote_access
severity : high
location : server
os : All
application : Other
service : TCP, SSH
rule-id : 35662
rev : 4.360
date : 1405515600

 

 

 

Example of sig set to enabled by default:

 

 

 

FG100Dxxxxx # conf ips rule SSLv2.Get.Shared.Ciphers.Overflow

 

 

 

FG100Dxxxxx (SSLv2.Get.Shared~low) # get
name : SSLv2.Get.Shared.Ciphers.Overflow
status : enable
log : enable
log-packet : disable
action : block
group : misc
severity : medium
location : server
os : Windows, Linux, BSD, Solaris, MacOS
application : Other
service : TCP
rule-id : 15023
rev : 2.567
date : 1398258000

 

 

 

Setting all signatures in IPS sensor to enabled instead of taking default:

config ips sensor

edit default

config entries

edit 1
set status enable (default setting is to take signature default)
end
end

3 REPLIES 3
Paul_S
Contributor

What FortiOS version?

 

On 5.2 some IPS signatures a not the normal kind. They are rate specific. The exampled you showed is one of those types. They are all disabled unless you enable them and set the rate threshold. It is not enabled, because every environment will probably want a different threshold.

 

i've attached a picture from the GUI which makes it more clear how the signature works.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FortiAdam
Contributor II

I actually discovered this while doing some testing with 5.2 but I am interested in using the rate based signatures in my 5.0 production environment.  

 

I don't understand why a signature like this one "SSH.Connection.Brute.Force" (ID 35662) ins't enabled by default.  The FortiGuard encyclopedia states that it should trigger on a rate of 200 in 10 seconds.  Not sure what the concern is there as the default action is pass anyway.  

 

I can create a new entry in my IPS sensor profile and apply a specific rate to it (yes even in 5.0) but that still doesn't answer my question as to why Fortinet has these sigs disabled by default.  I still would like a way to be able to find other sigs that are disabled by default too.  I assume it is all the rate based ones but who's to say there isn't more?

rajanaik

how do I set specific signatures to disable state from GUI ?

 

This is considering the requirement as "signatures not application to some environment" 

 

Thanks in advance.