Hi there Specialists,
I have a question regarding custom IPS rules. I've wrote multiple IPS custom rules to prevent locky infections. The rules contains a pretty common attachment name, but for now it's being used by the locky ransomware so we would like to block all the SMTP attachment containing the name we defined ( see rules ).
The rules are:
#SMTP F-SBID ( --name "ITCustom.Locky.SMTP.TCP.Feb21-1"; --protocol tcp; --ipver 4; --pattern "invoice*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "IT.Custom.Locky.SMTP.TCP.Feb21-2"; --protocol tcp; --ipver 4; --pattern "invoice_*-*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "ITk.Custom.Locky.SMTP.UDP.Feb21-1"; --protocol udp; --ipver 4; --pattern "incoice*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "IT.Custom.Locky.SMTP.UDP.Feb21-2"; --protocol udp; --ipver 4; --pattern "invoice_*-*.doc"; --context body; --service SMTP; --log DNS_QUERY; )
#HTTP
F-SBID ( --name "IT.Custom.Locky.HTTP.Feb21-1"; --protocol tcp; --ipver 4; --pattern "/main.php"; --context uri; --service HTTP; )
Apparently the SMTP rules are not working. The HTTP rule does.
Could someone help me out? :) Thanks in advance!
Fortinet Network Security Professional (NSE4)
Solved! Go to Solution.
Hi,
with deep-inspection properly enabled the Fortigate will also intercept the TLS handshake in the SMTP session!
But be careful - the Fortigate will the present its certificate to the client!! Which is mainly no problem between servers - but a major problem if you have Outlook or Thunderbird or whatever clients also connecting to that server via SMTP! These clients might not easliy accept a FGT certificate without user interaction!
Br,Roman
A few quick items, did you run diag debug flow against the mail?
SMTP does not use udp
If the SMTP session is ssl/tls that rules will not work unless you de-encrypted the session.
last, your using the body but I think it should be the HEADER for inspection on "content". The SMTP dialog should list the doc in question in the header.
can you re-write the 2 SMTP patterns and content set for HEADER and not the body?
PCNSE
NSE
StrongSwan
Thanks emnoc, I tried the HEADER context but it doesn't work either. I check the tcp flow using Wireshark, and it seems to be encrypted. I'll try the DPI module within a few days.
Fortinet Network Security Professional (NSE4)
The encryption needs to be removed in-order to peek into the flow. SMTP is commonly used with SSL/TLS ;)
PCNSE
NSE
StrongSwan
Even with DPI activated the email won't get blocked :\
I've imported the DPI SSL certificate in my trusted root store ( and in firefox ).
Fortinet Network Security Professional (NSE4)
Hi,
Did you find a solution to this issue, I also want to prevent this kind of e-mail messages
thanks
Not yet. But I might have made a few mistakes while configuring the DPI functionality.
I'll try to configure it again this evening.
Beside the SMTP ips signatures, I've wrote HTTP based signatures for the latest locky ransomware and teslacrypt versions. We analyze those kind of ransomware daily, using custom sandbox environment and network analyses systems. If you're interested, PM me ;)
Fortinet Network Security Professional (NSE4)
please update the post , i want to know that.
thanks
Hi,
I have not been able to test it yet. I've been busy past days.
Tonight might be an option, I'll put it in my agenda.
Fortinet Network Security Professional (NSE4)
Thanks for update.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.