Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
todfra
New Contributor

The IPS sensor trigger for a custom signature with severity low

Hi everyone!

I set custom IPS signature on FGT 7.0.2:

config ips custom
edit "TCP.SYN.Rate.Limit"
set signature "F-SBID( --attack_id 7313; --name TCP.SYN.Rate.Limit; --protocol tcp; --tcp_flags S+; --flow from_client; --rate 3,60,limit; --track src_ip; )"
set severity low
set location server
set comment "An attempt to prevent brute-force attacks to a TCP server."
next
end

but it's triggering the IPS-Default sensor which is set as follows:
config ips sensor
edit "IPS-default"
set comment "Prevent critical attacks."
config entries
edit 1
set severity medium high critical
next
end
next
end

By checking IPS Event Logs can see that the unit is erroneusly processing the custom IPS signature as "Critical".
Intrusion Prevention
Profile Name IPS-default
Attack Name TCP.SYN.Rate.Limit
Attack ID 7313
Incident Serial No. 112889839
Direction outgoing
Severity critical
Message custom: TCP.SYN.Rate.Limit

 

Why IPS sensor trigger for a custom signature with severity set low?

Thank you!

 
2 REPLIES 2
vweis
Staff
Staff

Hello Todfra,

I have this same problem for my custom signatures on 7.0.5. No matter what I set the severity to, the IPS engine tags them as "critical". Going to look into this...

Will be in touch,
Victor

Digital security, everywhere you need it.
vweis
Staff
Staff

Hello Todfra,

 

I have learned that the CLI option for severity does nothing, and that you actually have to set the severity level in the signature string itself, with "--severity < info | low | medium | high | critical". 

This was not at all clear in the documentation, so I have reached out to the documentation team to request that this get added.

 

Cheers,
Victor

Digital security, everywhere you need it.
Labels
Top Kudoed Authors