Creating custom IPS rule for MD5 hashes, malicious IPs and Domains

Forum|Forum|9 years ago
April 26, 2017
1 reply
12478 views

Hi there,

We have maintain our own repository for malicious IPs and domains as well as MD5 hashes as Indicators of COmpromise. How can I create IPS rule so that those MD5 hashes will be blocked using IPS? As well can we create IPS rule so that malicious domains will fetched from our URLs or compared thus blocked?

blasonAuthor

New Member

So there is no way to block MD5 hashes on Fortinet using custom IPS signature?

Jeff_the_Network_Guy

New Member

Home > Online Help

> Chapter 25 - Security Profiles > Custom Application & IPS Signatures > Creating a custom signature to block files according to the file's hash value:

http://help.fortinet.com/...0to%20their%20hash.htm

ede_pfau

SuperUser

Great, very helpful pointer! You just can't read everything...

Now combine this with a script-creating script...though I guess if you need one signature per file you will run out of signatures soon.

edit: Not so soon in fact. The limit in FOS v5.4.4 is 256/512/1024 for desktop/medium/high-end FGTs. This is higher than it would make sense - to block more than just a handful of malware files you would consider a FortiSandbox or the FSA cloud.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded