Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Victor
New Contributor III

Ultrasurf 9.8

Anyone experienced this version of Ultrasurf. The Fortinet sig does not block it.
7 REPLIES 7
billp
Contributor

Blocks it for me. Latest sig recognizes it as " Ultrasurf 9.6+" . This is a different sig than just " Ultrasurf," which only covers earlier versions. The new sig will allow Ultrasurf to connect to its Google home/search page, but all subsequent searches or URLs from that point forward are blocked. Bill

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Not applicable

Hi, Bill Where can you find the latest signature of ultrasurf? There is no any signature like you said as " Ultrasurf 9.6+" in the IPS' s Predefined list. Ony old earlier version signature exists which is " Ultrasurf" Best.
Carlos_Menezes
New Contributor

Hi all, In my tests, the ultrasurf 9.8 is still connecting and browsing. I´m on the latest version: v4.0,build0185,091020 (MR1 Patch 1). I have an open ticket with Fortinet support. Att,
Carlos Alfredo Fortigate 600-C, 300-A (4.0MR3-P5)
Carlos Alfredo Fortigate 600-C, 300-A (4.0MR3-P5)
rwpatterson

Can' t help the already installed instances, but the following keeps it from being downloaded...
 config antivirus filepattern
     edit 2
             config entries
                 edit " wjbutton*.*" 
                     set active imap smtp pop3 http ftp im nntp
                 next
                 edit " u9?.*" 
                     set active imap smtp pop3 http ftp im nntp
                 next
                 edit " u.*" 
                     set active imap smtp pop3 http ftp im nntp
                 next
                 edit " u9??.*" 
                     set active imap smtp pop3 http ftp im nntp
                 next
                 edit " UltraSurf*.z*" 
                     set active imap smtp pop3 http ftp im nntp
                 next
                 edit " UltraSurf*.e*" 
                     set active imap smtp pop3 http ftp im nntp
                 next
                 edit " UltraSurf*.r*" 
                     set active imap smtp pop3 http ftp im nntp
                 next
                 edit " UltraSurf*.x*" 
                     set active imap smtp pop3 http ftp im nntp
                 next
             end
         set name " Proxy software" 
     next
 end

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Carlos_Menezes
New Contributor

Hi everybody. I discover why not blocking ultrasurf and skype, im my case, for unknown reason, the migration from version 3 to 4, the app control created has any kind off bug. I dropped and re-create the app control rule. It´s very stupid problem, and very difficult to give a convincent reason, but works for me. Att,
Carlos Alfredo Fortigate 600-C, 300-A (4.0MR3-P5)
Carlos Alfredo Fortigate 600-C, 300-A (4.0MR3-P5)
Abhay_Dubey

Ultrasurf needs to blocked using either IPS or through application control depending on the firmware that is running on the unit (version3 and version 4 respectively). I assume you are running firmware version 4. Please refer the FortiGate Administration guide on creating application control and applying them through the protection profile. The ' ultrasurf' application is listed under category ' proxy' . IF ULTRASURF is not getting blocked then you need to find out which version of UltraSurf Software is not getting blocked because may be there is no signature for new UltraSurf Application. TRY THIS because we had issue with end user facing similar problem thus it required custom IPS Signature to be added - To apply the IPS signature, please take the following steps; • On the Fortigate unit, click on the UTM tab to expand it • Click on Intrusion Protection • Click on Custom  Create new it takes you to the “Edit custom signature screen” • Enter a name for the custom menu • Copy the following and paste in the “Signature” text field F-SBID( --name " ultrasurf.96.tag" ; --protocol tcp; --service SSL; --flow from_client; --seq >,70,relative; --pattern " |16 03 01 00 86 10 00 00 82|" ; --within 11,packet; --data_size 186; --tag set,ultrasurf1.tag; ) • Click on IPS Sensor • You can create a new IPS Sensor or use one of the defaults. Click on the IPS sensor you want to apply to the protection profile • Click on the “Add Custom Override” button • In the Signature Textfield click on the browse button to the right of it • It opens a new window with the Custom signature you created previously • Click on the text to select it. • It is added to the Signature selected” text field • Click on “Ok” • Set it to Enable and set the action to pass, enable logging and packet log • Click on Okay • Do the same for the second sensor, but for that, set the action to “reset”, the other options should remain the same. • Apply the IPS sensor to the protection profile you wish to disallow Ultrasurf
billp
Contributor

It' s in my regular list of application signatures under Application Control. It' s not an IPS signature per se. It' s listed under the Proxy category, application name " Ultrasurf.9.6+" If you don' t have it, perhaps it' s tied to a particular revision of the firmware. I know they have been reworking the IPS engine from time to time, and that affects the IPS and Application signatures.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Labels
Top Kudoed Authors