Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
XavierMP
New Contributor

Target configuration in IPS signatures to protect against botnets

I am using IPS signatures filtered by operating system and target = Client to protect my clients.

I thought that with this policy I could prevent and detect botnets and attacks to my clients when they browse the Internet.

But now I see that most Botnets signatures have a target = Server, so they don't apply to the policy I use with my clients. For example, I wanted protection against the Emotet Trojan, but the signature is target = Server

 

In this document https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html you can read: "Fortinet has also developed an IPS signature named “Emotet.Botnet” to detect the traffic between the C2 server and the infected machine".  So, the infected machine is a client, why is the signature defined with the target "Server"?

How should I use the Signature target to configure IPS?

Thanks

 

https://fortiguard.com/encyclopedia/ips/33105

Emotet.Cridex.Botnet

Description

This indicates that a system might be infected by Emotet Botnet. Emotet is a Trojan that targets Windows platform. It contacts C&C servers via HTTP or HTTPS requests. Emotet can download and install additional malware such as ransomware or infostealer. Emotet is a variant of Cridex malware.

2 Solutions
AKrause
Contributor

Fortinet is mixing up the detection and prevention of botnet / C2 traffic to several modules. In FortiOS 5.4 there was the category 'botnet' in Application Control. This has been poorly moved to IPS in FortiOS 5.6 without building a new category. I had a long long discussion with FTNT support about this issue and raised the same question about the meaning of target in case of IPS signatures. We missed Emotet infections because we had IPS profiles for target=client.

 

1/ What is the meaning of client/server in context of the botnet IPS signatures?

2/ What is the Fortinet Best Practice for Botnet Detection in FortiOS 5.6 for Client Traffic? If you select target=client you will miss a lot of Botnet signatures!"

 

It was hard, because the FTNT support answered things like this : "If you consider that this application should be categorized as client+server as it was before in Application control, please contact FortiGuard team as they are managing the IPS updates and signature categorization."  :(

 

After several replies and phone calls FTNT closed the ticket with:

 

"Unfortunately as no such "Category : Botnet" filter exists for now on the IPS sensor, the product is working as designed and from a TAC perspective we cannot do anything more. If you need this feature, please contact sales and file NFR (New Feature Release)  for this."

 

Sad but true. 

 

Our current solution is: We put all *botnet* and *Exploit.Kit* Pattern manually to our protect_client IPS profile which is added to the outbound traffic policies. The drawback is, that you miss new signatures - so you have to add them by hand. 

 

best regards

Andreas

View solution in original post

AKrause

Some more words on this one: FTNT has several modules for Botnet / C2 Detection and Prevention:

 

Botnet IP Database

Botnet Domain Database

IPS Botnet Signatures

Webfilter Category Malicious Websites

Application Control Botnet (up to FortiOS 5.4)

 

I raised a ticket about the Botnet IP / Domain Database not being up tp date with the known Emotet infrastructure:

 

"[...] The Emotet Infrastructure is back online today (https://twitter.com/certb...s/1164803474497761286) https://paste.cryptolaemu...are-IoCs_06-21-19.html We have checked the known list of Emotet C2 IPs against the list of Fortiguard Botnet IPs. I seems that none of these known C2 IPs of Emotet are used within the Fortiguard Botnet Database. [...]"

 

FTNT support refered to the Fortiguard Team - https://fortiguard.com/faq/generalcontact - but there was no reply.

I called the support again, but it did not work out. TAC asks about a providing a sample and is not helpful in explaining the FTNT best practice for detection of infected clients. It seems that support is not aware of a high level apporach.

 

My experience is:

1/ Botnet IP DB and Botnet Domain DB is not maintaned and not kept up to date for current threats such as emotet. Thats really bad because the protection is easy to deploy interface based.

2/ The IPS botnet signatures are quite good (e.g. Emotet.Cridex) but the implementation is really bad, because of the missing category and the ambiguity of botnet signatures in IPS context. (IPS was designed to protect a client or server from being exploited - the botnet signatures are indicators of a client who has been compromised)

3/ The Webfilter Malicious Websites is the most important module used by fortinet to prevent malware staging such as Emotet. A lot of the Emotet IOCs are categorized as malicious websites. e.g. https://fortiguard.com/search?q=http%3A%2F%2Fnekobiz.ikie3.com%2Fwp-includes%2F2w52077%2F&engine=1  

 

We have setup FGT-Webfilter and block security risk websites (Malicious, Phishing, SPAM URLs) for all outbound internet traffic. If you rely on the Botnet DB only you miss a lot of potential.

 

The drawback of Webfilter is: There are such a lot false positives in security risk websites. Re-Evaluation is done by a specialised team only on request https://fortiguard.com/faq/malurl 

We do have several 'rating errors' on high traffic load which result in missing detections of malicious websites.

We have an open support ticket on this issue as well... 

 

best regards

Andreas

 

 

 

 

 

 

 

 

View solution in original post

7 REPLIES 7
AKrause
Contributor

Fortinet is mixing up the detection and prevention of botnet / C2 traffic to several modules. In FortiOS 5.4 there was the category 'botnet' in Application Control. This has been poorly moved to IPS in FortiOS 5.6 without building a new category. I had a long long discussion with FTNT support about this issue and raised the same question about the meaning of target in case of IPS signatures. We missed Emotet infections because we had IPS profiles for target=client.

 

1/ What is the meaning of client/server in context of the botnet IPS signatures?

2/ What is the Fortinet Best Practice for Botnet Detection in FortiOS 5.6 for Client Traffic? If you select target=client you will miss a lot of Botnet signatures!"

 

It was hard, because the FTNT support answered things like this : "If you consider that this application should be categorized as client+server as it was before in Application control, please contact FortiGuard team as they are managing the IPS updates and signature categorization."  :(

 

After several replies and phone calls FTNT closed the ticket with:

 

"Unfortunately as no such "Category : Botnet" filter exists for now on the IPS sensor, the product is working as designed and from a TAC perspective we cannot do anything more. If you need this feature, please contact sales and file NFR (New Feature Release)  for this."

 

Sad but true. 

 

Our current solution is: We put all *botnet* and *Exploit.Kit* Pattern manually to our protect_client IPS profile which is added to the outbound traffic policies. The drawback is, that you miss new signatures - so you have to add them by hand. 

 

best regards

Andreas

XavierMP

totally agree

Adding manually is impossible to manage, it's like an antivirus without updates.

Maybe, it's better to add client and server to the protect_client IPS profile for outbound traffic. In this case, the drawback can be the performance

AKrause

Some more words on this one: FTNT has several modules for Botnet / C2 Detection and Prevention:

 

Botnet IP Database

Botnet Domain Database

IPS Botnet Signatures

Webfilter Category Malicious Websites

Application Control Botnet (up to FortiOS 5.4)

 

I raised a ticket about the Botnet IP / Domain Database not being up tp date with the known Emotet infrastructure:

 

"[...] The Emotet Infrastructure is back online today (https://twitter.com/certb...s/1164803474497761286) https://paste.cryptolaemu...are-IoCs_06-21-19.html We have checked the known list of Emotet C2 IPs against the list of Fortiguard Botnet IPs. I seems that none of these known C2 IPs of Emotet are used within the Fortiguard Botnet Database. [...]"

 

FTNT support refered to the Fortiguard Team - https://fortiguard.com/faq/generalcontact - but there was no reply.

I called the support again, but it did not work out. TAC asks about a providing a sample and is not helpful in explaining the FTNT best practice for detection of infected clients. It seems that support is not aware of a high level apporach.

 

My experience is:

1/ Botnet IP DB and Botnet Domain DB is not maintaned and not kept up to date for current threats such as emotet. Thats really bad because the protection is easy to deploy interface based.

2/ The IPS botnet signatures are quite good (e.g. Emotet.Cridex) but the implementation is really bad, because of the missing category and the ambiguity of botnet signatures in IPS context. (IPS was designed to protect a client or server from being exploited - the botnet signatures are indicators of a client who has been compromised)

3/ The Webfilter Malicious Websites is the most important module used by fortinet to prevent malware staging such as Emotet. A lot of the Emotet IOCs are categorized as malicious websites. e.g. https://fortiguard.com/search?q=http%3A%2F%2Fnekobiz.ikie3.com%2Fwp-includes%2F2w52077%2F&engine=1  

 

We have setup FGT-Webfilter and block security risk websites (Malicious, Phishing, SPAM URLs) for all outbound internet traffic. If you rely on the Botnet DB only you miss a lot of potential.

 

The drawback of Webfilter is: There are such a lot false positives in security risk websites. Re-Evaluation is done by a specialised team only on request https://fortiguard.com/faq/malurl 

We do have several 'rating errors' on high traffic load which result in missing detections of malicious websites.

We have an open support ticket on this issue as well... 

 

best regards

Andreas

 

 

 

 

 

 

 

 

XavierMP

Yes, I think Fortigate IPS is not easy to understand and it needs to improve his documentation and some areas.

For example, for outbound traffic, how do you configure SSL and HTTPS in the IPS? Do you have SSL and HTTPS in another policy with a different IPS sensor or you mix encrypted traffic inspection with non-encrypted traffic in the same policy?

On the other hand, if you don't do a man in the middle with deep certificate inspection, I understand that the IPS is not doing anything with encrypted traffic, isn't it?

AKrause

IPS has limited capabilities for SSL traffic without Deep Inspection.

SSL Certificate inspection, which is mandatory in FortiOS 5.6 and above helps for signatures who are based on hostname/domains or SSL/TLS related indicators.

 

However we don't do deep Inspection for any traffic due to limitations and issues in several applications.

 

XavierMP

So do you create an outbound policy with all allowed protocols and apply an IPS sensor for all protocols (including SSL and HTTPS) and certification inspection to the policy. Is this correct?

Or is it better to separate into 2 policies: one for unencrypted traffic without certificate inspection and an ips sensor without SSL inspection; and the other with encrypted traffic and certificate inspection?

AKrause

Since FortiOS 5.6 an SSL Profile is mandatory if you enable IPS. 

We have one policy for IPS client protection and certificate inspection.

 

Labels
Top Kudoed Authors