Chapter 15 Unified Threat Management for FortiOS 5.0 : Intrusion protection : Enable IPS scanning : Creating an IPS filter
  
Creating an IPS filter
While individual signatures can be added to a sensor, a filter allows you to add multiple signatures to a sensor by specifying the characteristics of the signatures to be added.
To create a new IPS filter
1. Go to Security Profiles > Intrusion Protection > IPS Sensors.
2. Select the IPS sensor to which you want to add the filter using the drop-down list in the top row of the Edit IPS Sensor window.
3. Select the Create New icon
4. For Sensor Type chose Filter Based.
5. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Select Specify and choose the filter option that have the appropriate parameters.
Basic
Severity
Refers to the level of threat possed by the attack.
The options include:
critical
high
medium
low
info
Target
Refers to the type of device targeted by the attack.
The options include:
client
server
OS
Refers to the Operating System affected by the attack.
The options include:
BSD
Linux
MacOS
Other
Solaris
Windows
Advanced
Application
Refers to the vendor or or type of application affected by the attack.
The options include:.
Adobe
Apache
Apple
CGI_app
Cisco
HP
IBM
IE
IIS
Mozilla
MS_Office
Novel
Oracle
PHP_app
Sun
This list can be expanded to include more options by selecting the [show more...] link. The additional options include:
ASP_app
CA
DB2
IM
Ipswitch
MailEnable
MediaPlayer
MS_Exchange
MSSQL
MySQL
Netscape
P2P
PostgreSQL
Real
Samba
SAP
SCADA
Sendmail
Veritas
Winamp
Other
Protocol
Refers to the protocol that is the vector for the attack.
The options include:
DNS
FTP
HTTP
ICMP
IMAP
LDAP
POP3
SCCP
SIP
SMTP
SNMP
SSH
SSL
TCP
UDP
This list can be expanded to include more options by selecting the [show more...] link. The additional options include:
BO
DCERPC
DHCP
DNP3
H323
IM
MSSQL
NBSS
NNTP
P2P
RADIUS
RDT
RPC
TRCP
RTP
RTSP
TELNET
TFN
Other
 
 
6. Choose an action for when a signature is triggered.
Action
Description
Signature Default
All predefined signatures have an Action attribute that is set to Pass or Drop. This means that if a signature included in the filter has an Action setting of Pass, traffic matching the signature will be detected and then allowed to continue to its destination. Select Accept signature defaults use the default action for each included signature.
Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.
Monitor All
Select Monitor all to pass all traffic matching the signatures included in the filter, regardless of their default Action setting.
Block All
Select Block all to drop traffic matching any the signatures included in the filter.
Reset
Select Reset to reset the session whenever the signature is triggered. In the CLI this action is referred to as Reject.
Quarantine
Has 2 fields the need to be configured:
1. Method:
Attacker’s IP Address - Traffic from the Attacker’s IP address is refused until the expiration time from the trigger is reached.
Attacker and Victim Address - All traffic from the Attacker’s address to the Victim’s address will be blocked.
Attack’s incoming interface - the interface that experienced the attack will refuse further traffic.
2. Expires (time frame that the quarantine will be in effect):
5 Minute(s)
30 Minutes(s)
1 Hour(s)
1 Day(s)
Week(s)
Month(s)
Year(s)
 
Packet Logging
Select to enable packet logging for the filter.
When you enable packet logging on a filter, the unit saves a copy of the packets that match any signatures included in the filter. The packets can be analyzed later.
For more information about packet filtering, see “Monitoring Security Profiles activity”
7 Select OK.
The filter is created and added to the filter list.