FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 194793
Description
Since FortiOS 4.0MR1 and the IPS engine 1.126, there are two new switches available to write custom IPS signatures.

Scope
FortiOS 4.0MR1 and above
IPS engine 1.126 and above.

Solution
Those switches are :


--rate n,t
Triggers if this Signature matches n-times per t-time (seconds). It can be extended using following switch:

 


--track src_ip || dst_ip
This will extend --rate to further only match "per" source or destination IP.  It cannot be used alone but rather is a extension to --rate

For example, these can be used to detect an FTP Brute-force where you see multiple "530 Login failed" coming from a Server with a specific IP.

######
F-SBID( --name FTP.Brute.Force; --protocol tcp; --service FTP; --flow from_server; --pattern "530 Login failed"; --rate 5,60; --track src_ip; )
######

This will trigger the Signature only when seeing "--pattern" 5 times per 60 seconds and from the same IP address.

Warning : In that specific case, using the option "Quarantine Attacker" is not a good action, as the Signature that triggers comes from the server IP address and would therefore quarantine the server. Use instead the logging capabilities.

Note : another switch is available, which is "--flow from_server,reversed; " ; in this case, even if the signature is triggered "coming from server", the "direction" will be reversed, hence the "Attacker" will be the "Client".
In this situation, only the client will be Quarantined if this action has been set.

Related Articles

Technical Note: Custom FortiGate IPS signature to detect / block a high rate of DNS requests to non-...

Contributors