Target configuration in IPS signatures to protect against botnets

Question

I am using IPS signatures filtered by operating system and target = Client to protect my clients.

I thought that with this policy I could prevent and detect botnets and attacks to my clients when they browse the Internet.

But now I see that most Botnets signatures have a target = Server, so they don't apply to the policy I use with my clients. For example, I wanted protection against the Emotet Trojan, but the signature is target = Server

In this document https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html you can read: "Fortinet has also developed an IPS signature named “Emotet.Botnet” to detect the traffic between the C2 server and the infected machine". So, the infected machine is a client, why is the signature defined with the target "Server"?

How should I use the Signature target to configure IPS?

Thanks

https://fortiguard.com/encyclopedia/ips/33105

Emotet.Cridex.Botnet

Description

This indicates that a system might be infected by Emotet Botnet. Emotet is a Trojan that targets Windows platform. It contacts C&C servers via HTTP or HTTPS requests. Emotet can download and install additional malware such as ransomware or infostealer. Emotet is a variant of Cridex malware.

AKrause · Accepted Answer

Some more words on this one: FTNT has several modules for Botnet / C2 Detection and Prevention:

Botnet IP Database

Botnet Domain Database

IPS Botnet Signatures

Webfilter Category Malicious Websites

Application Control Botnet (up to FortiOS 5.4)

I raised a ticket about the Botnet IP / Domain Database not being up tp date with the known Emotet infrastructure:

"[...] The Emotet Infrastructure is back online today (https://twitter.com/certb...s/1164803474497761286) https://paste.cryptolaemu...are-IoCs_06-21-19.html We have checked the known list of Emotet C2 IPs against the list of Fortiguard Botnet IPs. I seems that none of these known C2 IPs of Emotet are used within the Fortiguard Botnet Database. [...]"

FTNT support refered to the Fortiguard Team - https://fortiguard.com/faq/generalcontact - but there was no reply.

I called the support again, but it did not work out. TAC asks about a providing a sample and is not helpful in explaining the FTNT best practice for detection of infected clients. It seems that support is not aware of a high level apporach.

My experience is:

1/ Botnet IP DB and Botnet Domain DB is not maintaned and not kept up to date for current threats such as emotet. Thats really bad because the protection is easy to deploy interface based.

2/ The IPS botnet signatures are quite good (e.g. Emotet.Cridex) but the implementation is really bad, because of the missing category and the ambiguity of botnet signatures in IPS context. (IPS was designed to protect a client or server from being exploited - the botnet signatures are indicators of a client who has been compromised)

3/ The Webfilter Malicious Websites is the most important module used by fortinet to prevent malware staging such as Emotet. A lot of the Emotet IOCs are categorized as malicious websites. e.g. https://fortiguard.com/search?q=http%3A%2F%2Fnekobiz.ikie3.com%2Fwp-includes%2F2w52077%2F&engine=1

We have setup FGT-Webfilter and block security risk websites (Malicious, Phishing, SPAM URLs) for all outbound internet traffic. If you rely on the Botnet DB only you miss a lot of potential.

The drawback of Webfilter is: There are such a lot false positives in security risk websites. Re-Evaluation is done by a specialised team only on request https://fortiguard.com/faq/malurl

We do have several 'rating errors' on high traffic load which result in missing detections of malicious websites.

We have an open support ticket on this issue as well...

best regards

Andreas

AKrause · Answer

Fortinet is mixing up the detection and prevention of botnet / C2 traffic to several modules. In FortiOS 5.4 there was the category 'botnet' in Application Control. This has been poorly moved to IPS in FortiOS 5.6 without building a new category. I had a long long discussion with FTNT support about this issue and raised the same question about the meaning of target in case of IPS signatures. We missed Emotet infections because we had IPS profiles for target=client.

1/ What is the meaning of client/server in context of the botnet IPS signatures?

2/ What is the Fortinet Best Practice for Botnet Detection in FortiOS 5.6 for Client Traffic? If you select target=client you will miss a lot of Botnet signatures!"

It was hard, because the FTNT support answered things like this : "If you consider that this application should be categorized as client+server as it was before in Application control, please contact FortiGuard team as they are managing the IPS updates and signature categorization." :(

After several replies and phone calls FTNT closed the ticket with:

"Unfortunately as no such "Category : Botnet" filter exists for now on the IPS sensor, the product is working as designed and from a TAC perspective we cannot do anything more. If you need this feature, please contact sales and file NFR (New Feature Release) for this."

Sad but true.

Our current solution is: We put all *botnet* and *Exploit.Kit* Pattern manually to our protect_client IPS profile which is added to the outbound traffic policies. The drawback is, that you miss new signatures - so you have to add them by hand.

best regards

Andreas

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded