Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Custom IPS signature to block Microsoft Exchange EWS brute force logon attempts

Hi everyone


We were recently hit by a brute force logon attack to Exchange Web Services (EWS). FortiGate (e.g. FortiOS 5.4.9) does not seem to offer any signatures for Exchange EWS. There is only a rate based signature for brute force Outlook Web App (OWA) logon attempts but this does not help in this case.


I wanted to ask if anyone has ever created a custom signature for EWS? Or does anyone know what the default MS.OWA.Brute.Force signature looks like? This could then be modified accordingly.


In the interim I have created the following signature:

F-SBID(--name "MS.EWS.Brute.Force"; --pattern "HTTP/1.1 401 Unauthorized"; --service HTTP; --protocol tcp; --flow from_server,reversed; --rate 4,10,limit; --track dst_ip; --ipver 4; --src_addr; --context header;)


Any feedback would be appreciated. Thank you.





Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors