Configuring an event handler to filter IPS attack direction

The example below demonstrates how you can create a FortiAnalyzer event handler for filtering the IPS attack direction based on the user's network environment.

You can configure this event handler based on network subnet information or interface roles:

• Event handler setup based on user network subnet
• Event handler setup based on interface role

Event handler setup based on user network subnet

In this example, the following IP range includes the internal IPs for users. IPs outside of this range are considered external IPs.

• 192.168.0.0 - 192.168.255.255
  

The victim and attacker are identified as follows:

• The victim is identified by the IP of the traffic's origin (srcip) if the direction is incoming or the destination IP (dstip) if the direction is outgoing.

• The attacker is identified by Attack Source and Attack Name.

To create an "IPS attack to internal network" event handler:

1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described example IP range, create an event handler to filter the alert as an attack to the internal network when the source IP is within the internal network and the direction is incoming.
   In this example, the filter is configured as follows:
   

   Log Device Type	FortiGate
   Log Type	IPS (ips)
   Group By	Destination Endpoint (dstendpoint) Attack Name (attack)
   Generic Text Filter	direction="incoming" and srcip ~ "^192\.168\."
   Event Severity	High
   Tags	ips, attack, internal
   Additional Info	Attack to Internal Network: ${direction} attack was detected on ${devname} from ${dstip} to ${srcip} and ${msg}

   
   

3. Add an additional filter for when the destination IP is within the internal network and the direction is outgoing.
   In this example, the filter is configured as follows:
   

   Log Device Type	FortiGate
   Log Type	IPS (ips)
   Group By	Source Endpoint (endpoint) Attack Name (attack)
   Generic Text Filter	direction="outgoing" and dstip ~ "^192\.168\."
   Event Severity	High
   Tags	ips, attack, internal
   Additional Info	Attack to Internal Network: ${direction} attack was detected on ${devname} from ${srcip} to ${dstip} and ${msg}

   

4. Click OK to save the event handler.
5. Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes additional custom information and tags to help recognize them.
   

To create an "IPS attack to external network" event handler:

1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described example IP range, create an event handler to filter the alert as an attack to the external network when the source IP is external and the direction is incoming.
   In this example, the filter is configured as follows:
   

   Log Device Type	FortiGate
   Log Type	IPS (ips)
   Group By	Destination Endpoint (dstendpoint) Attack Name (attack)
   Generic Text Filter	direction=="incoming" and srcip !~ "^192\.168\."
   Event Severity	High
   Tags	ips, attack, external
   Additional Info	Attack to External Network: ${direction} attack was detected on ${devname} from ${dstip} to ${srcip} and ${msg}

   

3. Add an additional event handler filter for when the destination IP is external and the direction is outgoing.
   In this example, the filter is configured as follows:
   

   Log Device Type	FortiGate
   Log Type	IPS (ips)
   Group By	Source Endpoint (endpoint) Attack Name (attack)
   Generic Text Filter	direction=="outgoing" and dstip !~ "^192\.168\."
   Event Severity	High
   Tags	ips, attack, external
   Additional Info	Attack to External Network: ${direction} attack was detected on ${devname} from ${srcip} to ${dstip} and ${msg}

   

4. Click OK to save the event handler.
5. Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes additional custom information and tags to help recognize them.
   

Event handler setup based on interface role

In this example, interface roles are set up in FortiGate, where the internal network is connected with the "lan" interface, and the external network is connected with the "wan" interface.
Traffic follows the below situations between the internal and external networks.

• Traffic from internal to internal: srcintfrole="lan", dstintfrole="lan".
• Traffic from internal to external: srcintfrole="lan", dstintfrole="wan".
• Traffic from external to external: srcintfrole="wan", dstintfrole="wan".
• Traffic from external to internal: srcintfrole="wan", dstintfrole="lan".

To create an "IPS attack to internal interface" event handler:

1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described interface roles, create an event handler to filter the alert as an attack to the internal interface when the source interface role is "lan" and the direction is incoming.
   In this example, the filter is configured as follows:
   

   Log Device Type	FortiGate
   Log Type	IPS (ips)
   Group By	Destination Endpoint (dstendpoint) Attack Name (attack)
   Generic Text Filter	direction=="incoming" and srcintfrole=="lan"
   Event Severity	High
   Tags	ips, attack, internal
   Additional Info	Attack to Internal Network: ${direction} attack was detected on: ${devname} from ${dstip} to ${srcip} and ${msg}

   

3. Add an additional filter for when the destination interface role is "lan" and the direction is outgoing.
   In this example, the filter is configured as follows:
   

   Log Device Type	FortiGate
   Log Type	IPS (ips)
   Group By	Source Endpoint (endpoint) Attack Name (attack)
   Generic Text Filter	direction=="outgoing" and dstintfrole=="lan"
   Event Severity	Medium
   Tags	ips, attack, internal
   Additional Info	Attack to Internal Network: ${direction} attack was detected on: ${devname} from ${srcip} to ${dstip} and ${msg}

   

4. Click OK to save the event handler.
5. Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes additional custom information and tags to help recognize them.
   
   

To create an "IPS attack to external interface" event handler:

1. Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
2. Based on the previously described interface roles, create an event handler to filter the alert as an attack to the external interface when the source interface role is "wan" and the direction is incoming. In this example, the filter is configured as follows:
   

   Log Device Type	FortiGate
   Log Type	IPS (ips)
   Group By	Destination Endpoint (dstendpoint) Attack Name (attack)
   Generic Text Filter	direction=="incoming" and srcintfrole=="wan"
   Event Severity	High
   Tags	ips, attack, external
   Additional Info	Attack to External Network: ${direction} attack was detected on: ${devname} from ${dstip} to ${srcip} and ${msg}

   

3. Add an additional filter for when the destination interface role is "wan" and the direction is outgoing.
   In this example, the filter is configured as follows:
   

   Log Device Type	FortiGate
   Log Type	IPS (ips)
   Group By	Source Endpoint (endpoint) Attack Name (attack)
   Generic Text Filter	direction=="outgoing" and dstintfrole=="wan"
   Event Severity	High
   Tags	ips, attack, external
   Additional Info	Attack to External Network: ${direction} attack was detected on: ${devname} from ${srcip} to ${dstip} and ${msg}

   

4. Click OK to save the event handler.
5. Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes additional custom information and tags to help recognize them.