Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
razor
New Contributor III

Locky.Ransom SMTP invoice block rule

Hi there Specialists,

I have a question regarding custom IPS rules. I've wrote multiple IPS custom rules to prevent locky infections. The rules contains a pretty common attachment name, but for now it's being used by the locky ransomware so we would like to block all the SMTP attachment containing the name we defined ( see rules ).

 

The rules are:

#SMTP F-SBID ( --name "ITCustom.Locky.SMTP.TCP.Feb21-1"; --protocol tcp; --ipver 4; --pattern "invoice*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "IT.Custom.Locky.SMTP.TCP.Feb21-2"; --protocol tcp; --ipver 4; --pattern "invoice_*-*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "ITk.Custom.Locky.SMTP.UDP.Feb21-1"; --protocol udp; --ipver 4; --pattern "incoice*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "IT.Custom.Locky.SMTP.UDP.Feb21-2"; --protocol udp; --ipver 4; --pattern "invoice_*-*.doc"; --context body; --service SMTP; --log DNS_QUERY; )

 

#HTTP

F-SBID ( --name "IT.Custom.Locky.HTTP.Feb21-1"; --protocol tcp; --ipver 4; --pattern "/main.php"; --context uri; --service HTTP; )

 

Apparently the SMTP rules are not working. The HTTP rule does.

 

Could someone help me out? :) Thanks in advance!

 

 

Fortinet Network Security Professional (NSE4)

Fortinet Network Security Professional (NSE4)
1 Solution
romanr
Valued Contributor

Hi,

 

with deep-inspection properly enabled the Fortigate will also intercept the TLS handshake in the SMTP session!

 

But be careful - the Fortigate will the present its certificate to the client!! Which is mainly no problem between servers - but a major problem if you have Outlook or Thunderbird or whatever clients also connecting to that server via SMTP! These clients might not easliy accept a FGT certificate without user interaction!

 

Br,Roman

 

 

View solution in original post

11 REPLIES 11
razor
New Contributor III

I'm not able to block encrypted SMTP emails while DPI enabled.

 

Is there any Fortinet Employee who is able to give us useful tips? Like a best practice?

Fortinet Network Security Professional (NSE4)

Fortinet Network Security Professional (NSE4)
romanr
Valued Contributor

Hi,

 

with deep-inspection properly enabled the Fortigate will also intercept the TLS handshake in the SMTP session!

 

But be careful - the Fortigate will the present its certificate to the client!! Which is mainly no problem between servers - but a major problem if you have Outlook or Thunderbird or whatever clients also connecting to that server via SMTP! These clients might not easliy accept a FGT certificate without user interaction!

 

Br,Roman

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors