IPS signature filter options

IPS signature filter options include hold-time and CVE pattern.

hold-time

The hold-time option allows you to set the amount of time that signatures are held after a FortiGuard IPS signature update per VDOM. During the holding period, the signature's mode is monitor. The new signatures are enabled after the hold-time, to avoid false positives.

The hold-time can be from 0 days and 0 hours (default) up to 7 days, in the format ##d##h.

To configure the amount of time to hold and monitor IPS signatures:

config system ips
    set signature-hold-time 3d12h
    set override-signature-hold-by-id enable
end

When a signature that is on hold is matched, the log will include the message signature is on hold:

date=2010-07-06 time=00:00:57 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" eventtime=1278399657778481842 tz="-0700" severity="info" srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 srcintf="port13" srcintfrole="undefined" dstintf="port14" dstintfrole="undefined" sessionid=3620 action="detected" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=52170 dstport=80 hostname="172.16.200.55" url="/virus/eicar" direction="incoming" attackid=29844 profile="test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=25165825 msg="file_transfer: Eicar.Virus.Test.File, (signature is on hold)"

To view signatures being held by rule ID 29844 on the VDOM:

# diagnose ips signature on-hold vd1 29844
Rule: 29844, attack_id: 58886, last updated: 20170411
Rule: 29844, attack_id: 59517, last updated: 20170411
Rule: 29844, attack_id: 60105, last updated: 20170411
...

To view all help signatures on the VDOM:

# diagnose ips signature on-hold vd1
Rule: 17541, attack_id: 20899, last updated: 20140423
Rule: 17557, attack_id: 20934, last updated: 20140423
Rule: 17559, attack_id: 20932, last updated: 20140423
Rule: 17560, attack_id: 20933, last updated: 20140423
Rule: 17562, attack_id: 20928, last updated: 20170908
Rule: 17677, attack_id: 21187, last updated: 20171106
Rule: 17713, attack_id: 43756, last updated: 20140424
Rule: 17759, attack_id: 21298, last updated: 20140423
...

CVE pattern

The CVE pattern option allows you to filter IPS signatures based on CVE IDs or with a CVE wildcard, ensuring that any signatures tagged with that CVE are automatically included.

To configure CVE patterns for CVE-2010-0177 and all CVE-2017 CVEs:

config ips sensor
    edit "cve"
        set comment "cve"
        config entries
            edit 1
                set cve "cve-2010-0177"
                set status enable
                set log-packet enable
                set action block
            next
            edit 2
                set cve "cve-2017"
                set action reset
            next
        end
    next
end

For example, the CVE of the IPS signature Mozilla.Firefox.PluginArray.NsMimeType.Code.Execution is CVE-2010-0177. This matches the CVE filter in the IPS sensor, so traffic is blocked and logged:

date=2020-07-13 time=15:44:56 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" eventtime=1594593896666145871 tz="-0700" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=1638 action="dropped" proto=6 service="HTTPS" policyid=1 attack="Mozilla.Firefox.PluginArray.NsMimeType.Code.Execution" srcport=58298 dstport=443 hostname="172.16.200.55" url="/Mozilla" direction="incoming" attackid=20853 profile="sensor-1" ref="http://www.fortinet.com/ids/VID20853" incidentserialno=124780667 msg="web_client: Mozilla.Firefox.PluginArray.NsMimeType.Code.Execution," crscore=50 craction=4096 crlevel="critical"