CVE-Based IPS False Positive Analysis

Network Intrusion Prevention Sensors (IPS) trigger alerts based on network traffic. When an IPS sees traffic matching an attack signature, it generates an alert. Some of these attacks correspond to host vulnerabilities and have an associated CVE number. Most organizations run vulnerability scanning tools to scan their servers for vulnerabilities. If FortiSIEM is configured to collect this host vulnerability data, it can combine the IPS signature to CVE mapping, and Host to CVE mapping to detect if an IPS Alert is false positive.

• Requirements
• False Positive Detection Logic
• Running an IPS False Positive Test
• Consequences of Running the IPS False Positive Test

Requirements

• Currently, FortiSIEM applies this logic on Incidents but not events. All important IPS events trigger some rule in FortiSIEM.
• FortiSIEM IPS rules must be written with a Signature Id and Event Type in the group by conditions. All built-in rules have been enhanced with this requirement starting with release 5.3.0.
• The primary source of IPS Signature to CVE mapping is FortiSIEM CMDB. These mappings are part of the FortiSIEM knowledge base and upgraded with every release. For FortiGate IPS signatures, FortiSIEM can also pull this information from FortiGuard Services via an API. The FortiGuard IOC license must be enabled in FortiSIEM.
• The source of Host to CVE mapping is Vulnerability scanners. FortiSIEM currently supports Qualys, Rapid7, Nessus and Tenable scanners. Make sure FortiSIEM is configured to collect this data at least once a day.

False Positive Detection Logic

Recall that for this detection logic to work, IPS-related incidents must have Signature Id and Component Event Type configured (for example, see the built-in High Severity Outbound Permitted IPS Exploit rule). The test is performed separately for both internal (for example, RFC-1918 address space) Incident Source and Incident Target IPs, as it does not make sense to perform tests for Internet addresses.

After the incident triggers, the associated CVEs for the Incident Event Type are first looked up. The primary source is the CMDB. If the CMDB does not have this information, then external websites are looked up. In the current release, only Fortinet IPS signatures are looked up using Signature Id in the FortiGuard database.

If associated CVEs are found, then another CMDB lookup is performed to see if the Host (in Incident Source or Target) is vulnerable to the CVEs. CMDB collects Host Vulnerability information from vulnerability scan data.

There are four detection outcomes:

• Vulnerable - this can result if ALL the following are true:
  1. IP is internal and,
  2. Event type to CVE mapping is found and,
  3. Host has been scanned for vulnerabilities in the last 2 weeks and,
  4. At least one CVE in (b) is found in the list of current vulnerabilities in (c).
• Not Vulnerable - this can result if ALL the following are true:
  1. IP is internal and,
  2. Event type to CVE mapping is found and,
  3. Host has been scanned for vulnerabilities in the last 2 weeks and,
  4. None of the CVEs in (b) are found in the list of current vulnerabilities in (c).
• Insufficient Information - this can result any of these cases:
  1. Even type to CVE mapping is not found or,
  2. Host has not been scanned in the last 2 weeks.
• Not Needed - this case is true if the IP is external.

An Incident is False positive if either of the following cases is true

• Source Detection Status is not Not Needed and Destination is Not Vulnerable or vice-versa
• Both Source and Target are Not Vulnerable

An Incident is True positive when either Source or Destination is Vulnerable.

Running an IPS False Positive Test

This test can be run on-demand or automatically when an Incident triggers. First you need to set up an Integration.

1. Go to ADMIN > Settings > Integration.
2. Click New.
3. Set Type = Incident, Direction = Outbound, Vendor = “FortiSIEM Attach CVE Check".
4. Click Save.

To Run the IPS False Positive Test On-Demand on an IPS Incident

1. Go to INCIDENTS > List By Time.
2. Select one incident. Make sure that the Signature Id and Component Event Type are configured in the Incident Detail.
3. Click Action and select Run External Integration.
4. Select the specific integration and click OK.

The IPS False positive test can be automated so that it runs automatically when the Incident triggers for the first time. To do this, create an Incident Notification Policy. The IPS Attack CVE Check will run as an Incident Action.

1. Go to ADMIN > Settings > Notification.
2. Select an existing notification policy to edit, or click New to create one.
3. In the Action section, select Invoke an Integration policy, then select the policy.
4. Save the policy.

Consequences of Running the IPS False Positive Test

When you run the integration policy, the following results can occur:

• The Incident Comment is updated with the detection status.
• The Incident Status is determined based on the following cases:
  1. False Positive Case: the Incident Severity is set to Low and the Incident is cleared.
  2. True Positive Case: the Incident Severity is set to High and a Case is opened.
  3. In all other cases, the Incident Status remains unchanged.