Description
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect attack attempts to exploit a Buffer Overflow Vulnerability in F5 BIG-IP Traffic Management Microkernel (TMM).
1. Fortinet_SOC_F5-BIG-IP_Detection_Handler-v2.json
This event handler helps detect attack attempts based on FortiGate IPS signature detection.
2) Fortinet SOC F5 Big IP Attack Detection Report-v2.dat
A report to summarize findings on attack attempts found in FortiGate logs.
See the Solution section for instruction on how to load these into a FortiAnalyzer unit.
Scope
The custom Event Handler and Report provided can be used in FortiAnalyzer 6.4+
Solution
All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Fortinet_SOC_F5-BIG-IP-Detection-v2.zip file (contains 2 files)
2. Unzip Fortinet_SOC_F5-BIG-IP-Detection-v2.zip
3) Use Fortinet_SOC_F5-BIG-IP_Detection_Handler-v2.json to import into Event Handlers
a. Choose an ADOM (if ADOMs are enabled)
b. Choose the FortiSOC module
c. Select Event Handler List
d. Select the Import option under "More"
e. Select Fortinet_SOC_F5-BIG-IP_Detection_Handler-v2.json
Result: Fortinet_SOC_F5-BIG-IP_Detection_Handler-v2.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported
4) Use Fortinet SOC F5 Big IP Attack Detection Report-v2.dat to import into Reports
a. Choose a Fabric ADOM (if ADOMs are enabled)
b. Choose the Report module
c. Select the Import option under "More"
d. Select Fortinet SOC F5 Big IP Attack Detection Report-v2.dat
Result: ‘Fortinet SOC F5 Big IP Attack Detection Report' can be run anytime as determined by an admin user.
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect attack attempts to exploit a Buffer Overflow Vulnerability in F5 BIG-IP Traffic Management Microkernel (TMM).
The exploit targets these vulnerabilities:
- CVE-2021-22991
- CVE-2021-22986
- CVE-2021-22992
For more information about this attack, see the following FortiGuard Threat Signal Report:
What is included in Fortinet_SOC_F5-BIG-IP-Detection-v2.zip?1. Fortinet_SOC_F5-BIG-IP_Detection_Handler-v2.json
This event handler helps detect attack attempts based on FortiGate IPS signature detection.
2) Fortinet SOC F5 Big IP Attack Detection Report-v2.dat
A report to summarize findings on attack attempts found in FortiGate logs.
See the Solution section for instruction on how to load these into a FortiAnalyzer unit.
Scope
The custom Event Handler and Report provided can be used in FortiAnalyzer 6.4+
Solution
All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Fortinet_SOC_F5-BIG-IP-Detection-v2.zip file (contains 2 files)
2. Unzip Fortinet_SOC_F5-BIG-IP-Detection-v2.zip
3) Use Fortinet_SOC_F5-BIG-IP_Detection_Handler-v2.json to import into Event Handlers
a. Choose an ADOM (if ADOMs are enabled)
b. Choose the FortiSOC module
c. Select Event Handler List
d. Select the Import option under "More"
e. Select Fortinet_SOC_F5-BIG-IP_Detection_Handler-v2.json
Result: Fortinet_SOC_F5-BIG-IP_Detection_Handler-v2.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported
4) Use Fortinet SOC F5 Big IP Attack Detection Report-v2.dat to import into Reports
a. Choose a Fabric ADOM (if ADOMs are enabled)
b. Choose the Report module
c. Select the Import option under "More"
d. Select Fortinet SOC F5 Big IP Attack Detection Report-v2.dat
Result: ‘Fortinet SOC F5 Big IP Attack Detection Report' can be run anytime as determined by an admin user.
