In this Post I will demonstrate for myself how to create a custom signature and how to modify an IPS Sensor.
1. Custom signature configuration.
The configuration of the IPS happens in the following order.
1. Define a signature
2. Define your IPS sensor
3. Add IPS sensor to the firewall policy
Used Version: v4.0,build0521,120313 (MR3 Patch 6)
1. Custom IPS signature
———————–
1. Define a custom signature.
The custom signature fields documented here:
Click to access 01_28011_0080_20051117_FortiGate_IPS_Guide.pdf
In this example the ftp get command will be monitored through the IPS. It would try to convert the snort rules to the Fortigate IPS rules, maybe this is not that difficult..
config ips custom
edit "ftp_get"
set signature "F-SBID( --name \"ftp_get\"; --attack_id 7945; --protocol tcp; --dst_port 21; --flow from_client; --pattern RETR;)"
next
end
|
2. Define your IPS Sensor with the custom signature:
config ips sensor edit "LINUX_SERVER" set comment "new1" config entries edit 1 set action reset set log-packet enable set rule 7945 set status enable next end next end |
3. Edit the Firewall Policy with the IPS sensor.
config firewall policy
edit 1
set srcintf "internal"
set dstintf "External"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set utm-status enable
set logtraffic enable
set ips-sensor "LINUX_SERVER"
set profile-protocol-options "default"
set nat enable
next
end
|
2. Customizing IPS Sensor
1. Define the following filter on the IPS sensor.
Filter1:
OS=Linux
Proto=http
Action:
change to block
Filter2:
Ruleid=15229
Action:
Change to block
firewall (root) # show ips sensor LINUX_SERVER config ips sensor edit "LINUX_SERVER" set comment "new1" config entries edit 1 set action block set location server set log-packet enable set os Linux set protocol HTTP next edit 2 set action block set log-packet enable set rule 15229 set status enable next end next end |
2. Edit the Firewall Policy with the IPS sensor.
see the custom signatures for the details…
3. DoS Sensor configuration.
1. define your DoS policy.
config ips DoS
edit "DoS_Sensor"
config anomaly
edit "tcp_syn_flood"
set threshold 2000
next
edit "tcp_port_scan"
set threshold 1000
next
edit "tcp_src_session"
set threshold 5000
next
edit "tcp_dst_session"
set threshold 5000
next
edit "udp_flood"
set threshold 2000
next
edit "udp_scan"
set threshold 2000
next
edit "udp_src_session"
set threshold 5000
next
edit "udp_dst_session"
set threshold 5000
next
edit "icmp_flood"
set status enable
set log enable
set threshold 200
next
edit "icmp_sweep"
set threshold 100
next
edit "icmp_src_session"
set threshold 300
next
edit "icmp_dst_session"
set threshold 1000
next
edit "ip_src_session"
set threshold 5000
next
edit "ip_dst_session"
set threshold 5000
next
end
next
end
|
2. Edit the Firewall Policy with the IPS Dos Sensor.
config firewall interface-policy
edit 2
set interface "internal"
set srcaddr "all"
set dstaddr "all"
set service "ANY"
set ips-DoS-status enable
set ips-DoS "DoS_Sensor"
next
edit 1
set interface "internal"
set srcaddr "all"
set dstaddr "all"
set service "ANY"
set ips-DoS-status enable
set ips-DoS "block_flood"
next
end
|
mbrownnyc
June 10, 2013
Thanks very much. I may write something that converts a given snort definition to a Fortigate IDS policy for use by the public shortly. I’ll post back here if and when I do.