Hi there Specialists,
I have a question regarding custom IPS rules. I've wrote multiple IPS custom rules to prevent locky infections. The rules contains a pretty common attachment name, but for now it's being used by the locky ransomware so we would like to block all the SMTP attachment containing the name we defined ( see rules ).
The rules are:
#SMTP F-SBID ( --name "ITCustom.Locky.SMTP.TCP.Feb21-1"; --protocol tcp; --ipver 4; --pattern "invoice*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "IT.Custom.Locky.SMTP.TCP.Feb21-2"; --protocol tcp; --ipver 4; --pattern "invoice_*-*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "ITk.Custom.Locky.SMTP.UDP.Feb21-1"; --protocol udp; --ipver 4; --pattern "incoice*.doc"; --context body; --service SMTP; --log DNS_QUERY; ) F-SBID ( --name "IT.Custom.Locky.SMTP.UDP.Feb21-2"; --protocol udp; --ipver 4; --pattern "invoice_*-*.doc"; --context body; --service SMTP; --log DNS_QUERY; )
#HTTP
F-SBID ( --name "IT.Custom.Locky.HTTP.Feb21-1"; --protocol tcp; --ipver 4; --pattern "/main.php"; --context uri; --service HTTP; )
Apparently the SMTP rules are not working. The HTTP rule does.
Could someone help me out? :) Thanks in advance!
Fortinet Network Security Professional (NSE4)
Solved! Go to Solution.
Hi,
with deep-inspection properly enabled the Fortigate will also intercept the TLS handshake in the SMTP session!
But be careful - the Fortigate will the present its certificate to the client!! Which is mainly no problem between servers - but a major problem if you have Outlook or Thunderbird or whatever clients also connecting to that server via SMTP! These clients might not easliy accept a FGT certificate without user interaction!
Br,Roman
I'm not able to block encrypted SMTP emails while DPI enabled.
Is there any Fortinet Employee who is able to give us useful tips? Like a best practice?
Fortinet Network Security Professional (NSE4)
Hi,
with deep-inspection properly enabled the Fortigate will also intercept the TLS handshake in the SMTP session!
But be careful - the Fortigate will the present its certificate to the client!! Which is mainly no problem between servers - but a major problem if you have Outlook or Thunderbird or whatever clients also connecting to that server via SMTP! These clients might not easliy accept a FGT certificate without user interaction!
Br,Roman
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.