Fortinet 100 Network Card User Manual


 
Network Intrusion Detection System (NIDS) Reducing the number of NIDS attack log and email messages
FortiGate-100 Installation and Configuration Guide 229
Reducing the number of NIDS attack log and email messages
Intrusion attempts may generate an excessive number of attack messages. To help
you distinguish real warnings from false alarms, the FortiGate unit provides methods
to reduce the number of unnecessary messages. Based on the frequency that
messages are generated, the FortiGate unit will automatically delete duplicates. If you
determine that you are still receiving an excessive number of unnecessary messages,
you can manually disable message generation for signature groups.
Automatic message reduction
The content of the attack log and alert email messages that the NIDS produces
includes the ID number and name of the attack that generated the message. The
attack ID number and name in the message are identical to the ID number and rule
name that appear on the NIDS Signature Group Members list.
The FortiGate unit uses an alert email queue in which each new message is
compared with the previous messages. If the new message is not a duplicate, the
FortiGate unit sends it immediately and puts a copy in the queue. If the new message
is a duplicate, the FortiGate unit deletes it and increases an internal counter for the
number of message copies in the queue.
The FortiGate unit holds duplicate alert email messages for 60 seconds. If a duplicate
message has been in the queue for more than 60 seconds, the FortiGate unit deletes
the message and increases the copy number. If the copy number is greater than 1, the
FortiGate unit sends a summary email that includes “Repeated x times” in the subject
header, the statement “The following email has been repeated x times in the last y
seconds”, and the original message.
Manual message reduction
If you want to reduce the number of alerts that the NIDS generates, you can review
the content of attack log messages and alert email. If a large number of the alerts are
nuisance alerts (for example, web attacks when you are not running a web server),
you can disable the signature group for that attack type. Use the ID number in the
attack log or alert email to locate the attack in the signature group list. See “Enabling
and disabling NIDS attack signatures” on page 224.