Does anyone know the reasoning behind FortiGuard having a IPS signature set to disabled by default? If anyone has suggestions for finding other signatures that are set to disabled by default I would be interested to hear your ideas. I'm under the impression I can override this default by configuring my entries in the IPS profile to set all signature to enable instead of their default but I still haven't verified that it works.
Example of signature set to disabled by default:
FG100DXXXXXX # conf ips rule SSH.Connection.Brute.Force:
FG100DXXXXXX (SSH.Connection.B~rce) # get
name : SSH.Connection.Brute.Force
status : disable
log : enable
log-packet : disable
action : pass
group : remote_access
severity : high
location : server
os : All
application : Other
service : TCP, SSH
rule-id : 35662
rev : 4.360
date : 1405515600
Example of sig set to enabled by default:
FG100Dxxxxx # conf ips rule SSLv2.Get.Shared.Ciphers.Overflow
FG100Dxxxxx (SSLv2.Get.Shared~low) # get
name : SSLv2.Get.Shared.Ciphers.Overflow
status : enable
log : enable
log-packet : disable
action : block
group : misc
severity : medium
location : server
os : Windows, Linux, BSD, Solaris, MacOS
application : Other
service : TCP
rule-id : 15023
rev : 2.567
date : 1398258000
Setting all signatures in IPS sensor to enabled instead of taking default:
config ips sensor
edit default
config entries
edit 1
set status enable (default setting is to take signature default)
end
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What FortiOS version?
On 5.2 some IPS signatures a not the normal kind. They are rate specific. The exampled you showed is one of those types. They are all disabled unless you enable them and set the rate threshold. It is not enabled, because every environment will probably want a different threshold.
i've attached a picture from the GUI which makes it more clear how the signature works.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
I actually discovered this while doing some testing with 5.2 but I am interested in using the rate based signatures in my 5.0 production environment.
I don't understand why a signature like this one "SSH.Connection.Brute.Force" (ID 35662) ins't enabled by default. The FortiGuard encyclopedia states that it should trigger on a rate of 200 in 10 seconds. Not sure what the concern is there as the default action is pass anyway.
I can create a new entry in my IPS sensor profile and apply a specific rate to it (yes even in 5.0) but that still doesn't answer my question as to why Fortinet has these sigs disabled by default. I still would like a way to be able to find other sigs that are disabled by default too. I assume it is all the rate based ones but who's to say there isn't more?
how do I set specific signatures to disable state from GUI ?
This is considering the requirement as "signatures not application to some environment"
Thanks in advance.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.