Get rid of IPS logs for some signatures

pablo_embasa · ‎04-19-2022

Hi,

I´m having a problem with the new signature "name_server: DNS.PTR.Records.Scan". The signature is generating a lot of logs entries, and any of them is an real attack.

I´m trying to disable it from my Sensor, but even though I disable this signature, disable the logs from it (Over CLI), but the FortiGate ignores the settings, and continues showing a lot of the logs.

Someone can help-me please.

pminarik · ‎04-19-2022

Can you show us the current configuration of the IPS sensor profile? (i.e. close the "add signatures panel" and show us the rest of the profile's config)

Reasoning: The signature/filter rules are applied top-down as they appear in the list. Maybe you're adding this DNS.PTR.Records.Scan override below an existing rule that handles this signature differently? (e.g. using its default settings) If this is the case, the solution might be as simple as dragging the specific DNS.PTR.Records.Scan rule above the other existing rule(s) in the GUI.

[ corrections always welcome ]

View solution in original post

pminarik · ‎04-19-2022

Can you show us the current configuration of the IPS sensor profile? (i.e. close the "add signatures panel" and show us the rest of the profile's config)

Reasoning: The signature/filter rules are applied top-down as they appear in the list. Maybe you're adding this DNS.PTR.Records.Scan override below an existing rule that handles this signature differently? (e.g. using its default settings) If this is the case, the solution might be as simple as dragging the specific DNS.PTR.Records.Scan rule above the other existing rule(s) in the GUI.

[ corrections always welcome ]

pablo_embasa · ‎04-19-2022

Shame on Me... That was the problem.

Thanks a Lot

Get rid of IPS logs for some signatures

Nominate a Forum Post for Knowledge Article Creation