Description
This article describes why some Critical IPS Signatures have the default action set to 'allow'.
Scope
FortiGate.
Solution
Fortinet’s IPS signatures have two main actions, 'Pass' or 'Block'.
Ideally, all signatures have a default block action.
However, due to the dynamic nature of network environments and vulnerabilities, it is difficult to avoid false positives or to assess which vulnerability is more severe in an environment.
Signatures are set up such that a user can easily modify the action to suit their needs if their assessment differ from ours.
Even though every new IPS signature has to go through the Beta-Testing stage before official release, it is always released to the public with its default action set to 'Pass'.
This is because a good balance of a well written signature is needed and a quick response rate to mitigate the attacks for our customers as soon as possible.
After the official release, we will further monitor and evaluate the signature for a period of time.
Upon which, the signature will be reviewed to determine if its default action has to be modified.
How to determine the default action of a signature then is not only by the severity of the vulnerability, but by a few different factors.
The selection criteria for signatures with default action block is an aggressive one.
The main reason is that security is valued as the number one priority to our customer.
The criteria are as follows:
1) The signature is for coverage of a vulnerability targeting a popular application.
2) The signature is for coverage of a known exploit in the wild.
3) The signature has low risk of false positives.
With the criteria above, over 90% of the signatures have the block action.
With such aggressive criteria, there will be a possibility of missing some attacks or blocking some legitimate traffics.
This is why we go through a stringent process of testing, evaluating and reviewing signatures before there are released and with their action switched from pass to block.
Where the signature does not meet the criteria above, its default action will be set to 'Pass'.
It is recommended to configure IPS deployment to suit each environment.
This is because the IPS feature is not a plug and forget feature.
It has to be configured differently for each environment and fine-tuned regularly.
Example:
The botnet and backdoor signatures usually have the 'high' or 'critical' severity associated with them.
As an infected system can lead to severe damage, the signatures are ensured to have low risk false positives through evaluation.
An example of such signature is the 'Mirai.Botnet' signature.
Mirai is a malware that primarily target Linux based IoT units.
Upon successful infection, the unit will become a remote-controlled bot that can perform any attacks instructed by the CnC.
This signature has a severity of 'high' and a default action of 'drop'.
Two examples of signatures with the default action set to 'pass' are 'FTP.Text.Line.Too.Long' and 'MS.OWA.Brute.Force'.
The signature 'FTP.Text.Line.Too.Long' detects for excessively long FTP commands and responses.
Excessively long FTP commands and responses can be perceived as suspicious if a customer’s environment do not regularly have such traffic.
However, this signature will not be applicable to environments that allow longer FTP commands and responses.
If the signature’s action is set to 'Block' by default, all environments that allow such traffic will have detrimental effects on their FTP communication.
The signature 'MS.OWA.Brute.Force' detects for 15 OWA login attempts in 1 second.
Brute force rates are often highly dependent on a customer’s environment.
If the FortiGate is placed in a large-scale network environment, 15 OWA login attempts in 1 second is perfectly normal.
On the other hand, if the FortiGate is placed in a smaller network topology, even 10 OWA login attempts in 1 second seems suspicious.
Because it is impossible to set a default rate for brute force attacks without greatly effecting any of our customers, the signature is set to 'Pass' by default.
In both cases, customers can manually set the signature to 'Block' if it is applicable to the customer’s environment.
Below is another example, where the 'IPS signature' is set to the default 'pass' action. In IPS profile -> IPS signature and filter, the action is set to 'default'.
In this case, traffic will be 'allowed (pass)' as per the default signature action.
Default IPS Signature
Default IPS Sensor Profile
Security Event Logs
When blocking the signature as an 'IPS Signature and Filter' with the action set to 'block', the default IPS signature action is set to 'pass'.
In this case, it will give precedence to the block action of the 'IPS Signature and Filter' and traffic will be blocked, even though the actual IPS signature action is set to 'pass'.
Default IPS Signature, pass action
IPS Sensor Profile block action
IPS logs - traffic blocked
