Intrusion Protection Log show heartbeat information attack

Millibhu · ‎08-24-2015

Hi,

Is anyone know that what is this log mean

I'm encounter with this log in my fortigate 100D , I already enable IPS, AV, Web filtering. Is this attack need to worried ?

What should I do with me fortigate 100D

Thanks

Millibhu

gschmitt · ‎08-24-2015

Blurring out the source public IPs of an external "attacker" is not really a good idea (since it doesn't reveal any information about you it is safe)

Chances are if you try to access http://TheIpShownAsSource it will show you a page like this:

Hello, we are a project to reveal heartbleed vulnerability and do checks throughout the net. If you are bothered by this click here to get on our block list.

Basically there are multiple sites out there which scan the whole web for the heartbleed bug for fun.

Millibhu · ‎08-24-2015

Hi gschmit

the source is my internal ip address (client), but the destination it go to linkedin

Is this attack already block by Fortigate ? , because the status show only 'detected'

BTW I used firmware 5.0 patch 5 Fortigate 100D

Thanks

gschmitt · ‎08-24-2015

Millibhu wrote:
the source is my internal ip address (client), but the destination it go to linkedin

Really? That's odd.

Go check your interal > wan policy (the one which applies to this traffic) and check the name of the IPS profile

Now to to Security Profiles > Intrusion Protection and make sure the correct profile is selected in the drop down menu top right corner (if you do not have a drop down menu enable Multiple Profiles at System > Config > Features)

At Pattern Based Signatures and Filter whatis the Action set to? Default or Monitor all?

Millibhu · ‎08-24-2015

Hi,

I follow your instruction and I'm using "Default" profile, should I check the signature inside this profile ?

Thanks

Millibhu

gschmitt · ‎08-24-2015

Yes

vjoshi_FTNT · ‎08-24-2015

Hello Millibhu,

Status 'detected' doesn't mean it is blocked. I see that the 'default' IPS sensor is applied on the Firewall policy. If you check under Security Profile > Intrusion Protection > Choose the default IPS sensor > View IPS signatures > Then search the signature name, any signature for that matter.

- I believe, the default action is PASS.

Millibhu wrote:
Hi gschmit

the source is my internal ip address (client), but the destination it go to linkedin
[attachImg]https://forum.fortinet.com/download.axd?file=0;127233&where=message&f=heartbleed.jpg[/attachImg]

Is this attack already block by Fortigate ? , because the status show only 'detected'
BTW I used firmware 5.0 patch 5 Fortigate 100D

Thanks

vjoshi_FTNT · ‎08-24-2015

Just to clarify, in my earlier update, when I say "any signature for that matter." I mean to say, you can use the same technique to find the action set on each signature which you think is not being blocked or you want to change the action.

Millibhu · ‎08-24-2015

Hi,

I follow your instruction and found that both signature

OpenSSL.TLS.Heartbeat.Information.Disclosure OpenSSL.ChangeCipherSpec.Injection

default action is "pass" , how can I modify the action to be block please advice

Thanks

Millibhu

vjoshi_FTNT · ‎08-24-2015

Hello Millibhu,

To make sure you are doing it right, create a new sensor as below:

Click on Intrusion Protection > Click on '+' sign at right corner of the screen > Name it > Ok > Create New > OK > Create New > This time, select "Specify Signatures" for "Sensor type" > Type 'opens ' and you will see all the relevant signatures > Select all the signatures needed (you can use the 'Ctrl' key on the keyboard to select multiple signatures) > Then click on 'Block All' at the bottom > Click OK.

Now, Drag/Move the specific signature filter above the existing default filter

Hope that helps

Millibhu wrote:
Hi,

I follow your instruction and found that both signature
OpenSSL.TLS.Heartbeat.Information.Disclosure OpenSSL.ChangeCipherSpec.Injection

default action is "pass" , how can I modify the action to be block please advice

Thanks
Millibhu