Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cmoney
New Contributor

imp.onesearch.org - Compromised Host Detection by IOC

Hi Folks:

 

Trying to understand what Alert and Hostname are and whether or not we need to whitelist this. Below are the details from one of our Firewalls:

 

Log ID

 

Type

utm

Sub Type

webfilter

Event Type

ftgd_blk

Level

warning

eventtime

1587743286

Policy ID

2

Session ID

11105149

Source IP

10.80.6.135

Source Port

59657

Source Interface

LAN

srcintfrole

lan

 

   

Destination Interface

wan1

dstintfrole

wan

Protocol

6

Service

HTTPS

Host Name

imp.onesearch.org

Profile

default

Action

blocked

Request Type

direct

URL

/

Sent

517

Received

0

Direction

outgoing

Message

URL belongs to a denied category in policy

Method

domain

Category

26

Category Description

Malicious Websites

Threat Score

60

Threat Level

high

 

When I performed a search on VirusTotal only Fortinet and Forcepoint marked that hostname as suspicious.

 

 

 

 

Log ID

0316013056

Type

utm

Sub Type

webfilter

Event Type

ftgd_blk

Level

warning

eventtime

1587743286

Policy ID

2

Session ID

11105149

Source IP

10.80.6.135

Source Port

59657

Source Interface

LAN

srcintfrole

lan

Destination IP

34.232.56.142

Destination Port

443

Destination Interface

wan1

dstintfrole

wan

Protocol

6

Service

HTTPS

Host Name

imp.onesearch.org

Profile

default

Action

blocked

Request Type

direct

URL

/

Sent

517

Received

0

Direction

outgoing

Message

URL belongs to a denied category in policy

Method

domain

Category

26

Category Description

Malicious Websites

Threat Score

60

Threat Level

high

2 REPLIES 2
tanr
Valued Contributor II

I'm not quite sure what you're asking?

 

The host name in the logs is the domain name (imp.onesearch.org), without any additional URL part after it.  In this case, the URL is just the root anyway ("/"), but URL could be "/Support/Videos" or the like.

 

The possibly compromised host has IP 10.80.6.135 in your lan.  Normally IOC doesn't flag a host as compromised for hitting a few malicious websites, so you may want to check the logs to see if there has been other activity.

 

If you think the website has been incorrectly categorized, you can request they re-evalute it from your FortiGates System > FortiGuard page.

Dave_Hall
Honored Contributor

The logs are implying the site "imp.onesearch.org" is flagged is Malicious - Looking it up in ForiGuard the site is indeed flagged as such.  But it may be referring to "onesearch.org" as malicious rather than "imp.onesearch.org" - they do resolve into different IP addresses. 

 

A google search on the domain does imply a malicious intend, as a browser hijacking. 

 

Further research would be needed.  If "imp.onesearch.org" is legit, you may want to submit a review.  Alternately, you could always reclassifiy the site with an local rating override, but do assess the risk.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Labels
Top Kudoed Authors