During the last weeks we saw lots of alert messages from Fortinet firewalls that blocked attack attempts against web servers using the built-in IPS system.
There were so many of these messages that they completely flooded the monitoring system. So I was asked for a solution to filter out these messages
The messages look similar to the following:
Message meets Alert condition
The following intrusion was observed: "D-Link.DSL-2750B.CLI.OS.Command.Injection".
date=2019-01-08 time=10:40:36 devname=xxxxxxxx devid=FGxxxxxxxx logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1546940436 severity="critical" srcip=xxx.xxx.xxx.xxx srccountry="xxx" dstip=xxx.xxx.xxx.xxx srcintf="WAN" srcintfrole="wan" dstintf="LAN" dstintfrole="lan" sessionid=872498 action="dropped" proto=6 service="HTTP" policyid=50 attack="D-Link.DSL-2750B.CLI.OS.Command.Injection" srcport=57586 dstport=80 url="xxxxxxxx" direction="outgoing" attackid=46176 profile="protect_http_server" ref="http://www.fortinet.com/ids/VID46176" incidentserialno=1130893423 msg="applications3: D-Link.DSL-2750B.CLI.OS.Command.Injection," crscore=50 crlevel="critical"
On the one hand, I really like to get notified when an event occurs that is marked as “critical”.
On the other hand there were hundreds of these messages per day, so the monitoring system was overwhelmed with alerts.
So the question was, how to stop the firewall from sending these alert messages without disabling all other IPS alerts, since disabling the entire alerting for IPS is obviously not a good idea.
Here’s what you need to do to disable the logging only for a dedicated IPS signature:
- Log on to your FortiGate.
- Open the CLI Console.
- Enter the command “config ips sensor”.
- Enter the command “edit xxx”, where xxx is the name of the IPS sensor. The name is shown as “profile” in the alert message. In this examle, the command must be “edit protect_http_server”.
- Enter the command “config entries”.
- Enter the command “show” to review the current configuration of the sensor. The result should look like this:
config ips sensor
edit "protect_http_server"
set comment "Protect against HTTP server-side vulnerabilities."
config entries
edit 1
set location server
set protocol HTTP
next
end
next
end
In order to disable the alerting for just one single signature, we must create a dedicated configuration for this signature and then disable the logging for that configuration:
- Enter the command “edit 2”. (This will create a new entry)
- Enter the command “set rule xxx”, where xxx is the number of the attack you want to disable logging for. The number is shown as “attackid” in the alert mesage. In this example the command must be “set rule 46176”.
- Enter the command “set log disable”.
- Enter the command “end” (to save and exit the configuration of the new entry).
- To verify the changes, type “show”. The result should look like the following:
config ips sensor
edit "protect_http_server"
set comment "Protect against HTTP server-side vulnerabilities."
config entries
edit 1
set location server
set protocol HTTP
next
edit 2
set rule 46176
set log disable
next
end
next
end
- Enter the command “end”. (to save and exit the IPS sensor).