Does anyone know the reasoning behind FortiGuard having a IPS signature set to disabled by default? If anyone has suggestions for finding other signatures that are set to disabled by default I would be interested to hear your ideas. I'm under the impression I can override this default by configuring my entries in the IPS profile to set all signature to enable instead of their default but I still haven't verified that it works.
FG100DXXXXXX (SSH.Connection.B~rce) # get name : SSH.Connection.Brute.Force status : disable log : enable log-packet : disable action : pass group : remote_access severity : high location : server os : All application : Other service : TCP, SSH rule-id : 35662 rev : 4.360 date : 1405515600
FG100Dxxxxx (SSLv2.Get.Shared~low) # get name : SSLv2.Get.Shared.Ciphers.Overflow status : enable log : enable log-packet : disable action : block group : misc severity : medium location : server os : Windows, Linux, BSD, Solaris, MacOS application : Other service : TCP rule-id : 15023 rev : 2.567 date : 1398258000
Setting all signatures in IPS sensor to enabled instead of taking default:
config ips sensor
edit 1 set status enable (default setting is to take signature default) end end
On 5.2 some IPS signatures a not the normal kind. They are rate specific. The exampled you showed is one of those types. They are all disabled unless you enable them and set the rate threshold. It is not enabled, because every environment will probably want a different threshold.
i've attached a picture from the GUI which makes it more clear how the signature works.
FG200D 5.6.5 (HA) - primary
[size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size]
FAZ-VM 5.6.5 | Fortimail 5.3.11
I actually discovered this while doing some testing with 5.2 but I am interested in using the rate based signatures in my 5.0 production environment.
I don't understand why a signature like this one "SSH.Connection.Brute.Force" (ID 35662) ins't enabled by default. The FortiGuard encyclopedia states that it should trigger on a rate of 200 in 10 seconds. Not sure what the concern is there as the default action is pass anyway.
I can create a new entry in my IPS sensor profile and apply a specific rate to it (yes even in 5.0) but that still doesn't answer my question as to why Fortinet has these sigs disabled by default. I still would like a way to be able to find other sigs that are disabled by default too. I assume it is all the rate based ones but who's to say there isn't more?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.