Since March 2nd, we have detected the following alerts on several fortigates.
Moxa.SDS-3008.CVE-2022-40224.DoS
http://www.fortinet.com/ids/VID52664
However, the alerts are only for 5.2.x and not for other versions.
Also, in the alert, it is trying to dos attack from LAN to WAN, and the destination of the attack is trendmicro and eset.
Trying to attack a company that has DOS countermeasures is also unnatural.
Is it a bug that occurs only in 5.2.x?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Same problem on 5.2.xx, by default this alert was set to "accept", and we changed it to "dropped" just in case, this caused some web service to stop working until Friday. To this day, the same service does not generate any alerts and started working again. I guess something changed in the signature...
Hello, we are also struggling with that behavior, but on 7.2.4.
Log message:
Message meets Alert condition The following intrusion was observed: Moxa.SDS-3008.CVE-2022-40224.DoS. date=2023-03-04 time=22:48:12 devname=FG devid=FGT60F********** eventtime=1677966492696716740 tz="+0100" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="high" srcip=<some LAN address> srccountry="Reserved" dstip=157.240.30.55 dstcountry="Czech Republic" srcintf="VLAN123" srcintfrole="lan" dstintf="VLAN456" dstintfrole="wan" sessionid=142722838 action="detected" proto=6 service="HTTP" policyid=1 poluuid="e108e3f4-ab85-51ec-eb42-d61b53f3a906" policytype="policy" attack="Moxa.SDS-3008.CVE-2022-40224.DoS" srcport=54148 dstport=80 hostname="c.whatsapp.net" url="/chat" agent="Mozilla/5.0 (compatible; WAChat/1.2; +http://www.whatsapp.com/contact)" httpmethod="POST" direction="outgoing" attackid=52664 profile="default" ref="http://www.fortinet.com/ids/VID52664" incidentserialno=203040213 msg="SCADA: Moxa.SDS-3008.CVE-2022-40224.DoS" crscore=30 craction=8192 crlevel="high"
Hello ohornig, Thank you for providing the information.
It seems to me that it was connected with Industrial Service IPS definitions because we faced this problem only on one of our managed boxes. All of our Fortigates utilize UTP bundles, but this one runs with Enterprise bundle which includes Industrial definitions for IPS. We received last attempt at 07.03.2023 20:09, from this time it seems to be solved by the updated definitions.
Same problem on 5.2.xx, by default this alert was set to "accept", and we changed it to "dropped" just in case, this caused some web service to stop working until Friday. To this day, the same service does not generate any alerts and started working again. I guess something changed in the signature...
Hello Mike1891, Thank you for providing the information.
On 3/6 Japan time, the signature seems to have changed.
No more alerts after that.
I'm thinking maybe the signature wasn't right and was removed.
Hello ohornig, Thank you for providing the information.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1502 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.