Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
miki_m
New Contributor II

Why is the alert only for 5.2.x? Moxa.SDS-3008.CVE-2022-40224.DoS

Since March 2nd, we have detected the following alerts on several fortigates.

 

Moxa.SDS-3008.CVE-2022-40224.DoS
http://www.fortinet.com/ids/VID52664

 

However, the alerts are only for 5.2.x and not for other versions.
Also, in the alert, it is trying to dos attack from LAN to WAN, and the destination of the attack is trendmicro and eset.
Trying to attack a company that has DOS countermeasures is also unnatural.


Is it a bug that occurs only in 5.2.x?

1 Solution
Mike1891
New Contributor

Same problem on 5.2.xx, by default this alert was set to "accept", and we changed it to "dropped" just in case, this caused some web service to stop working until Friday. To this day, the same service does not generate any alerts and started working again. I guess something changed in the signature...

View solution in original post

6 REPLIES 6
ohornig
New Contributor

Hello, we are also struggling with that behavior, but on 7.2.4.

 

Log message:

Message meets Alert condition
The following intrusion was observed: Moxa.SDS-3008.CVE-2022-40224.DoS.
date=2023-03-04 time=22:48:12 devname=FG devid=FGT60F********** eventtime=1677966492696716740 tz="+0100" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="high" srcip=<some LAN address> srccountry="Reserved" dstip=157.240.30.55 dstcountry="Czech Republic" srcintf="VLAN123" srcintfrole="lan" dstintf="VLAN456" dstintfrole="wan" sessionid=142722838 action="detected" proto=6 service="HTTP" policyid=1 poluuid="e108e3f4-ab85-51ec-eb42-d61b53f3a906" policytype="policy" attack="Moxa.SDS-3008.CVE-2022-40224.DoS" srcport=54148 dstport=80 hostname="c.whatsapp.net" url="/chat" agent="Mozilla/5.0 (compatible; WAChat/1.2; +http://www.whatsapp.com/contact)" httpmethod="POST" direction="outgoing" attackid=52664 profile="default" ref="http://www.fortinet.com/ids/VID52664" incidentserialno=203040213 msg="SCADA: Moxa.SDS-3008.CVE-2022-40224.DoS" crscore=30 craction=8192 crlevel="high" 

 

miki_m
New Contributor II

Hello ohornig, Thank you for providing the information.

 

ohornig

It seems to me that it was connected with Industrial Service IPS definitions because we faced this problem only on one of our managed boxes. All of our Fortigates utilize UTP bundles, but this one runs with Enterprise bundle which includes Industrial definitions for IPS. We received last attempt at 07.03.2023 20:09, from this time it seems to be solved by the updated definitions.

Mike1891
New Contributor

Same problem on 5.2.xx, by default this alert was set to "accept", and we changed it to "dropped" just in case, this caused some web service to stop working until Friday. To this day, the same service does not generate any alerts and started working again. I guess something changed in the signature...

miki_m
New Contributor II

Hello Mike1891, Thank you for providing the information.
On 3/6 Japan time, the signature seems to have changed.
No more alerts after that.
I'm thinking maybe the signature wasn't right and was removed.

miki_m
New Contributor II

Hello ohornig, Thank you for providing the information.

Labels
Top Kudoed Authors