New Member

Question

Intrusion Protection Log show heartbeat information attack

Forum|Forum|10 years ago
August 24, 2015
5 replies
15020 views

Hi,

Is anyone know that what is this log mean

I'm encounter with this log in my fortigate 100D , I already enable IPS, AV, Web filtering. Is this attack need to worried ?

What should I do with me fortigate 100D

Thanks

Millibhu

intrusion protection.jpg

gschmitt

New Member

Blurring out the source public IPs of an external "attacker" is not really a good idea (since it doesn't reveal any information about you it is safe)

Chances are if you try to access http://TheIpShownAsSource it will show you a page like this:

Hello, we are a project to reveal heartbleed vulnerability and do checks throughout the net. If you are bothered by this click here to get on our block list.

Basically there are multiple sites out there which scan the whole web for the heartbleed bug for fun.

MillibhuAuthor

New Member

Hi gschmit

the source is my internal ip address (client), but the destination it go to linkedin

Is this attack already block by Fortigate ? , because the status show only 'detected'

BTW I used firmware 5.0 patch 5 Fortigate 100D

Thanks

heartbleed.jpg

gschmitt

New Member

Millibhu wrote:
the source is my internal ip address (client), but the destination it go to linkedin

Really? That's odd.

Go check your interal > wan policy (the one which applies to this traffic) and check the name of the IPS profile

Now to to Security Profiles > Intrusion Protection and make sure the correct profile is selected in the drop down menu top right corner (if you do not have a drop down menu enable Multiple Profiles at System > Config > Features)

At Pattern Based Signatures and Filter whatis the Action set to? Default or Monitor all?

vjoshi_FTNT

Staff

Just to clarify, in my earlier update, when I say "any signature for that matter." I mean to say, you can use the same technique to find the action set on each signature which you think is not being blocked or you want to change the action.

MillibhuAuthor

New Member

Hi,

I follow your instruction and found that both signature

OpenSSL.TLS.Heartbeat.Information.Disclosure OpenSSL.ChangeCipherSpec.Injection

default action is "pass" , how can I modify the action to be block please advice

Thanks

Millibhu

vjoshi_FTNT

Staff

Hello Millibhu,

To make sure you are doing it right, create a new sensor as below:

Click on Intrusion Protection > Click on '+' sign at right corner of the screen > Name it > Ok > Create New > OK > Create New > This time, select "Specify Signatures" for "Sensor type" > Type 'opens ' and you will see all the relevant signatures > Select all the signatures needed (you can use the 'Ctrl' key on the keyboard to select multiple signatures) > Then click on 'Block All' at the bottom > Click OK.

Now, Drag/Move the specific signature filter above the existing default filter

Hope that helps

Millibhu wrote:
Hi,

I follow your instruction and found that both signature
OpenSSL.TLS.Heartbeat.Information.Disclosure OpenSSL.ChangeCipherSpec.Injection

default action is "pass" , how can I modify the action to be block please advice

Thanks
Millibhu

vjoshi_FTNT

Staff

Hello Millibhu,

If you have less firewall policy, a quick solution would be to create a new sensor and create filter based sensor with Signature defaults and replace the previous sensor with the new one on the Firewall policies.

vjoshi_FTNT

Staff

That looks to be good. Just monitor it and check the logs.

By the way, packet logging is not needed in this case.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded