Configuring an event handler to filter IPS attack direction
The example below demonstrates how you can create a FortiAnalyzer event handler for filtering the IPS attack direction based on the user's network environment.
You can configure this event handler based on network subnet information or interface roles:
Event handler setup based on user network subnet
In this example, the following IP range includes the internal IPs for users. IPs outside of this range are considered external IPs.
- 192.168.0.0 - 192.168.255.255
The victim and attacker are identified as follows:
- The victim is identified by the IP of the traffic's origin (srcip) if the direction is incoming or the destination IP (dstip) if the direction is outgoing.
- The attacker is identified by Attack Source and Attack Name.
To create an "IPS attack to internal network" event handler:
- Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
- Based on the previously described example IP range, create an event handler to filter the alert as an attack to the internal network when the source IP is within the internal network and the direction is incoming.
In this example, the filter is configured as follows:Log Device Type FortiGate Log Type IPS (ips) Group By Destination Endpoint (dstendpoint)
Attack Name (attack)
Generic Text Filter direction="incoming" and srcip ~ "^192\.168\."
Event Severity
High
Tags
ips, attack, internal
Additional Info
Attack to Internal Network: ${direction} attack was detected on ${devname} from ${dstip} to ${srcip} and ${msg}
- Add an additional filter for when the destination IP is within the internal network and the direction is outgoing.
In this example, the filter is configured as follows:Log Device Type FortiGate Log Type IPS (ips) Group By Source Endpoint (endpoint)
Attack Name (attack)
Generic Text Filter direction="outgoing" and dstip ~ "^192\.168\."
Event Severity
High
Tags
ips, attack, internal
Additional Info
Attack to Internal Network: ${direction} attack was detected on ${devname} from ${srcip} to ${dstip} and ${msg}
- Click OK to save the event handler.
- Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes additional custom information and tags to help recognize them.
To create an "IPS attack to external network" event handler:
- Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
- Based on the previously described example IP range, create an event handler to filter the alert as an attack to the external network when the source IP is external and the direction is incoming.
In this example, the filter is configured as follows:Log Device Type FortiGate Log Type IPS (ips) Group By Destination Endpoint (dstendpoint)
Attack Name (attack)
Generic Text Filter direction=="incoming" and srcip !~ "^192\.168\."
Event Severity
High
Tags
ips, attack, external
Additional Info
Attack to External Network: ${direction} attack was detected on ${devname} from ${dstip} to ${srcip} and ${msg}
- Add an additional event handler filter for when the destination IP is external and the direction is outgoing.
In this example, the filter is configured as follows:Log Device Type FortiGate Log Type IPS (ips) Group By Source Endpoint (endpoint)
Attack Name (attack)
Generic Text Filter direction=="outgoing" and dstip !~ "^192\.168\."
Event Severity
High
Tags
ips, attack, external
Additional Info
Attack to External Network: ${direction} attack was detected on ${devname} from ${srcip} to ${dstip} and ${msg}
- Click OK to save the event handler.
- Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes additional custom information and tags to help recognize them.
Event handler setup based on interface role
In this example, interface roles are set up in FortiGate, where the internal network is connected with the "lan" interface, and the external network is connected with the "wan" interface.
Traffic follows the below situations between the internal and external networks.
- Traffic from internal to internal: srcintfrole="lan", dstintfrole="lan".
- Traffic from internal to external: srcintfrole="lan", dstintfrole="wan".
- Traffic from external to external: srcintfrole="wan", dstintfrole="wan".
- Traffic from external to internal: srcintfrole="wan", dstintfrole="lan".
To create an "IPS attack to internal interface" event handler:
- Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
- Based on the previously described interface roles, create an event handler to filter the alert as an attack to the internal interface when the source interface role is "lan" and the direction is incoming.
In this example, the filter is configured as follows:Log Device Type FortiGate Log Type IPS (ips) Group By Destination Endpoint (dstendpoint)
Attack Name (attack)
Generic Text Filter direction=="incoming" and srcintfrole=="lan"
Event Severity
High
Tags
ips, attack, internal
Additional Info
Attack to Internal Network: ${direction} attack was detected on: ${devname} from ${dstip} to ${srcip} and ${msg}
- Add an additional filter for when the destination interface role is "lan" and the direction is outgoing.
In this example, the filter is configured as follows:Log Device Type FortiGate Log Type IPS (ips) Group By Source Endpoint (endpoint)
Attack Name (attack)
Generic Text Filter direction=="outgoing" and dstintfrole=="lan"
Event Severity
Medium
Tags
ips, attack, internal
Additional Info
Attack to Internal Network: ${direction} attack was detected on: ${devname} from ${srcip} to ${dstip} and ${msg}
- Click OK to save the event handler.
- Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes additional custom information and tags to help recognize them.
To create an "IPS attack to external interface" event handler:
- Go to FortiSoC > Handlers > Event Handler List, and click Create New to create a new event handler.
- Based on the previously described interface roles, create an event handler to filter the alert as an attack to the external interface when the source interface role is "wan" and the direction is incoming. In this example, the filter is configured as follows:
Log Device Type FortiGate Log Type IPS (ips) Group By Destination Endpoint (dstendpoint)
Attack Name (attack)
Generic Text Filter direction=="incoming" and srcintfrole=="wan"
Event Severity
High
Tags
ips, attack, external
Additional Info
Attack to External Network: ${direction} attack was detected on: ${devname} from ${dstip} to ${srcip} and ${msg}
- Add an additional filter for when the destination interface role is "wan" and the direction is outgoing.
In this example, the filter is configured as follows:Log Device Type FortiGate Log Type IPS (ips) Group By Source Endpoint (endpoint)
Attack Name (attack)
Generic Text Filter direction=="outgoing" and dstintfrole=="wan"
Event Severity
High
Tags
ips, attack, external
Additional Info
Attack to External Network: ${direction} attack was detected on: ${devname} from ${srcip} to ${dstip} and ${msg}
- Click OK to save the event handler.
- Triggered alerts for this event handler are grouped by the attack source and attack name. This example includes additional custom information and tags to help recognize them.