Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
blason
New Contributor

Creating custom IPS rule for MD5 hashes, malicious IPs and Domains

Hi there,

We have maintain our own repository for malicious IPs and domains as well as MD5 hashes as Indicators of COmpromise. How can I create IPS rule so that those MD5 hashes will be blocked using IPS? As well can we create IPS rule so that malicious domains will fetched from our URLs or compared thus blocked?

3 REPLIES 3
blason
New Contributor

So there is no way to block MD5 hashes on Fortinet using custom IPS signature?

Jeff_the_Network_Guy

Home > Online Help

 > Chapter 25 - Security Profiles > Custom Application & IPS Signatures > Creating a custom signature to block files according to the file's hash value:

 

http://help.fortinet.com/...0to%20their%20hash.htm

----------------(-- Jeff
----------------(-- Jeff
ede_pfau

Great, very helpful pointer! You just can't read everything...

Now combine this with a script-creating script...though I guess if you need one signature per file you will run out of signatures soon.

edit: Not so soon in fact. The limit in FOS v5.4.4 is 256/512/1024 for desktop/medium/high-end FGTs. This is higher than it would make sense - to block more than just a handful of malware files you would consider a FortiSandbox or the FSA cloud.


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors