Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pablo_embasa
New Contributor

Get rid of IPS logs for some signatures

Hi,

I´m having a problem with the new signature "name_server: DNS.PTR.Records.Scan". The signature is generating a lot of logs entries, and any of them is an real attack.

I´m trying to disable it from my Sensor, but even though I disable this signature, disable the logs from it (Over CLI), but the FortiGate ignores the settings, and continues showing a lot of the logs.

Someone can help-me please.

 

sensor.png

1 Solution
pminarik
Staff
Staff

Can you show us the current configuration of the IPS sensor profile? (i.e. close the "add signatures panel" and show us the rest of the profile's config)

 

Reasoning: The signature/filter rules are applied top-down as they appear in the list. Maybe you're adding this DNS.PTR.Records.Scan override below an existing rule that handles this signature differently? (e.g. using its default settings) If this is the case, the solution might be as simple as dragging the specific DNS.PTR.Records.Scan rule above the other existing rule(s) in the GUI.

[ corrections always welcome ]

View solution in original post

2 REPLIES 2
pminarik
Staff
Staff

Can you show us the current configuration of the IPS sensor profile? (i.e. close the "add signatures panel" and show us the rest of the profile's config)

 

Reasoning: The signature/filter rules are applied top-down as they appear in the list. Maybe you're adding this DNS.PTR.Records.Scan override below an existing rule that handles this signature differently? (e.g. using its default settings) If this is the case, the solution might be as simple as dragging the specific DNS.PTR.Records.Scan rule above the other existing rule(s) in the GUI.

[ corrections always welcome ]
pablo_embasa
New Contributor

Shame on Me... That was the problem.

Thanks a Lot

Labels
Top Kudoed Authors