Skip to main content
leila07
leila07
New Member
December 18, 2014
Solved

source of an attempted attack

  • December 18, 2014
  • 2 replies
  • 12350 views

Hello,

 

the Integrated IPS fortigate detected an attempted attack: browser.spoofing.IDN.attempt according to the attack report, the source of attack is an internal address and the destination is an external address of a Web site.

my question is: how could the internal address be the source of attack if the vulnerability affects the browser ??

    Best answer by seadave

    Security Profiles...Intrusion Protection

    Edit a policy

    In the policy under Action choose Quarantine and then choose for how long under "Expires".

    I like to use a IPS rule at the top of all of my polices that includes the ZmEu, Morfeus, and Nessus vuln scanners.  If anyone hits me with those, they get banned.  Stops a lot of traffic.  External managed security indicates the first two are very common initial recon attempts.

    2 replies

    pcraponi
    pcraponi
    New Member
    December 19, 2014

    Maybe the internal user has clicked on a website link that has a homograph attack.

     

    The best way to discover what happened, is enable "Packet Logging" on IPS profile. So, you can get the PCAP of the signature trigger on FortiAnalyzer and see what is the behavior.

     

    The direction of the attack is irrelevant. The IPS signature trigger the source and the destination of the packet.

     

     

    BR,

    Paulo Raponi

    leila07
    leila07Author
    New Member
    December 19, 2014

    Thanks Paulo for the reply, maybe your guess is true.

    but even if we suppose that it was true, the user sould be the victim of the attack not the web site.

    on the other hand, the "Packet Logging" is already enabled. how can I get the PCAP of the signature trigger on FortiAnalyzer and see what is the behavior??

    seadave
    seadave
    New Member
    January 7, 2015

    I've seen the same issue on 100D 4.3.18.  I have my IPS rules set to ban IPs that trigger them externally.  This normally works fine, but I've noticed that for the OpenSSL.TLS.Heartbeat.Information.Disclosure, the internal host IP gets blocked instead of the external attacking source.  I'm guessing that is because the signature doesn't detect the attack until the response.  Seems like it should NOT be happening that way though.  My guess is this happens because the connection is encrypted.

     

    Other attacks and vuln scans end up being blocked and banned as one would like them to be.

    Big_Abe
    Big_Abe
    New Member
    January 27, 2015

    dfollis wrote:

    I have my IPS rules set to ban IPs that trigger them externally. 

    This was working great on an inherited 5.0 800C.  However, I've since upgraded to 5.2.1 and have no IDEA where this was set.  How did you turn this on?  I would love to auto-ban pesky IPs.  It would certainly clean up my alerting.

     

     

    seadave
    seadaveAnswer
    New Member
    January 28, 2015

    Security Profiles...Intrusion Protection

    Edit a policy

    In the policy under Action choose Quarantine and then choose for how long under "Expires".

    I like to use a IPS rule at the top of all of my polices that includes the ZmEu, Morfeus, and Nessus vuln scanners.  If anyone hits me with those, they get banned.  Stops a lot of traffic.  External managed security indicates the first two are very common initial recon attempts.

    Terms & ConditionsAccessibility statement