Hot!IPS Signatures set to disabled status by default

Author
FortiAdam
Silver Member
  • Total Posts : 103
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/04/21 07:32:57
  • Status: offline
2015/06/24 14:31:40 (permalink) 5.0
0

IPS Signatures set to disabled status by default

Does anyone know the reasoning behind FortiGuard having a IPS signature set to disabled by default?  If anyone has suggestions for finding other signatures that are set to disabled by default I would be interested to hear your ideas.  I'm under the impression I can override this default by configuring my entries in the IPS profile to set all signature to enable instead of their default but I still haven't verified that it works. 
Example of signature set to disabled by default:

 
 
 
FG100DXXXXXX # conf ips rule SSH.Connection.Brute.Force: 
 
 
 
FG100DXXXXXX (SSH.Connection.B~rce) # get
name : SSH.Connection.Brute.Force
status : disable
log : enable
log-packet : disable
action : pass
group : remote_access
severity : high
location : server
os : All
application : Other
service : TCP, SSH
rule-id : 35662
rev : 4.360
date : 1405515600
 
 
 

Example of sig set to enabled by default:

 
 
 
FG100Dxxxxx # conf ips rule SSLv2.Get.Shared.Ciphers.Overflow
 
 
 
FG100Dxxxxx (SSLv2.Get.Shared~low) # get
name : SSLv2.Get.Shared.Ciphers.Overflow
status : enable
log : enable
log-packet : disable
action : block
group : misc
severity : medium
location : server
os : Windows, Linux, BSD, Solaris, MacOS
application : Other
service : TCP
rule-id : 15023
rev : 2.567
date : 1398258000
 
 
 

Setting all signatures in IPS sensor to enabled instead of taking default:
config ips sensor
edit default
config entries
edit 1
set status enable (default setting is to take signature default)
end
end

post edited by FortiAdam - 2015/06/24 18:42:04

Attached Image(s)

#1

3 Replies Related Threads

    Paul S
    Gold Member
    • Total Posts : 168
    • Scores: 8
    • Reward points: 0
    • Joined: 2011/05/02 16:49:52
    • Status: offline
    Re: IPS Signatures set to disabled status by default 2015/06/24 15:50:46 (permalink)
    0
    What FortiOS version?
     
    On 5.2 some IPS signatures a not the normal kind. They are rate specific. The exampled you showed is one of those types. They are all disabled unless you enable them and set the rate threshold. It is not enabled, because every environment will probably want a different threshold.
     
    i've attached a picture from the GUI which makes it more clear how the signature works.

    Attached Image(s)


    FG200D 5.6.5 (HA) - primary
    FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.]
    FAZ-VM 5.6.5  |  Fortimail 5.3.11
    Network+, Security+
    #2
    FortiAdam
    Silver Member
    • Total Posts : 103
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/04/21 07:32:57
    • Status: offline
    Re: IPS Signatures set to disabled status by default 2015/06/24 15:58:27 (permalink)
    0
    I actually discovered this while doing some testing with 5.2 but I am interested in using the rate based signatures in my 5.0 production environment.  
     
    I don't understand why a signature like this one "SSH.Connection.Brute.Force" (ID 35662) ins't enabled by default.  The FortiGuard encyclopedia states that it should trigger on a rate of 200 in 10 seconds.  Not sure what the concern is there as the default action is pass anyway.  
     
    I can create a new entry in my IPS sensor profile and apply a specific rate to it (yes even in 5.0) but that still doesn't answer my question as to why Fortinet has these sigs disabled by default.  I still would like a way to be able to find other sigs that are disabled by default too.  I assume it is all the rate based ones but who's to say there isn't more?
    #3
    rajanaik
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/04/27 06:51:00
    • Status: offline
    Re: IPS Signatures set to disabled status by default 2020/05/28 02:37:06 (permalink)
    0
    how do I set specific signatures to disable state from GUI ?
     
    This is considering the requirement as "signatures not application to some environment" 
     
    Thanks in advance.
     
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5