Technical Note: Detecting Linux Slapper attacks

syakushijin · ‎11-09-2014

Description

When the FortiGate AV feature has detected "Linux/Slapper", the UTM log status is passthrough as follows:

sample log entry

date=2014-11-04 time=17:13:10 logid=0211008196 type=utm subtype=virus eventtype=infected level=warning vd="root" msg="Worm detected." status="passthrough" service="http" srcip=xxx.xxx.xxx.xxx dstip=xxx.xxx.xxx.xxx srcport=46311 dstport=80 srcintf="port5" dstintf="port6" policyid=3 identidx=0 sessionid=628481797 virus="Linux/Slapper" dtype="Virus" url="http:///" profiletype="Antivirus_Profile" profile="default"

This is behaviour from a special hard-coded detection for our proxy daemon for detecting Linux Slapper attacks.

The http proxy daemon treats a Request as a worm event when it detects a GET Request without a hostname. In the meantime, if AV scan is enabled, the AV log with a worm event is generated.

The FortiGate protects the user by fooling the infected worm server by malforming the Response back to the attacking worm server.

The malformed Response causes the attacker to think the victim is an invalid target so the attacker will not infect the victim. This causes the traffic to be "passed through" by design whilst protecting users.

More information about Linux slapper can be found in the FortiGuard Encyclopedia in the FortiGuard Centre at Linux/Slapper.

Technical Note: Detecting Linux Slapper attacks

You are leaving our website