Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
razor
New Contributor III

Locky.Ransom SMTP invoice block rule

Hi there Specialists,

I have a question regarding custom IPS rules. I've wrote multiple IPS custom rules to prevent locky infections. The rules contains a pretty common attachment name, but for now it's being used by the locky ransomware so we would like to block all the SMTP attachment containing the name we defined ( see rules ).

 

The rules are:

#SMTP F-SBID ( --name "ITCustom.Locky.SMTP.TCP.Feb21-1"; --protocol tcp; --ipver 4; --pattern "invoice*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "IT.Custom.Locky.SMTP.TCP.Feb21-2"; --protocol tcp; --ipver 4; --pattern "invoice_*-*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "ITk.Custom.Locky.SMTP.UDP.Feb21-1"; --protocol udp; --ipver 4; --pattern "incoice*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "IT.Custom.Locky.SMTP.UDP.Feb21-2"; --protocol udp; --ipver 4; --pattern "invoice_*-*.doc"; --context body; --service SMTP; --log DNS_QUERY; )

 

#HTTP

F-SBID ( --name "IT.Custom.Locky.HTTP.Feb21-1"; --protocol tcp; --ipver 4; --pattern "/main.php"; --context uri; --service HTTP; )

 

Apparently the SMTP rules are not working. The HTTP rule does.

 

Could someone help me out? :) Thanks in advance!

 

 

Fortinet Network Security Professional (NSE4)

Fortinet Network Security Professional (NSE4)
1 Solution
romanr
Valued Contributor

Hi,

 

with deep-inspection properly enabled the Fortigate will also intercept the TLS handshake in the SMTP session!

 

But be careful - the Fortigate will the present its certificate to the client!! Which is mainly no problem between servers - but a major problem if you have Outlook or Thunderbird or whatever clients also connecting to that server via SMTP! These clients might not easliy accept a FGT certificate without user interaction!

 

Br,Roman

 

 

View solution in original post

11 REPLIES 11
emnoc
Esteemed Contributor III

A few quick items, did you run diag debug flow against the mail?

 

SMTP does not use udp

 

If the SMTP session is  ssl/tls that rules will not work unless you de-encrypted the session.

 

last, your using the body but I think it should be  the HEADER for inspection on "content". The SMTP dialog should list the  doc in question in the header.

 

can you  re-write the 2  SMTP patterns and content  set for HEADER and not the body?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
razor
New Contributor III

Thanks emnoc, I tried the HEADER context but it doesn't work either. I check the tcp flow using Wireshark, and it seems to be encrypted. I'll try the DPI module within a few days.

Fortinet Network Security Professional (NSE4)

Fortinet Network Security Professional (NSE4)
emnoc
Esteemed Contributor III

The encryption needs to be removed in-order to peek into the flow. SMTP is commonly  used with SSL/TLS ;)

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
razor
New Contributor III

Even with DPI activated the email won't get blocked :\

 

I've imported the DPI SSL certificate in my trusted root store ( and in firefox ).

Fortinet Network Security Professional (NSE4)

Fortinet Network Security Professional (NSE4)
CAD

Hi, 

Did you find  a solution to this issue, I also want to prevent this kind of e-mail messages

 

thanks

razor
New Contributor III

Not yet. But I might have made a few mistakes while configuring the DPI functionality.

 

I'll try to configure it again this evening.

 

Beside the SMTP ips signatures, I've wrote HTTP based signatures for the latest locky ransomware and teslacrypt versions. We analyze those kind of ransomware daily, using custom sandbox environment and network analyses systems. If you're interested, PM me ;)

Fortinet Network Security Professional (NSE4)

Fortinet Network Security Professional (NSE4)
CAD

please update the post , i want to know that.

 

thanks

razor
New Contributor III

Hi,

 

I have not been able to test it yet. I've been busy past days.

 

Tonight might be an option, I'll put it in my agenda.

 

Fortinet Network Security Professional (NSE4)

Fortinet Network Security Professional (NSE4)
CAD

Thanks for update.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors