Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
leila07
New Contributor

source of an attempted attack

Hello,

 

the Integrated IPS fortigate detected an attempted attack: browser.spoofing.IDN.attempt according to the attack report, the source of attack is an internal address and the destination is an external address of a Web site.

my question is: how could the internal address be the source of attack if the vulnerability affects the browser ??

1 Solution
seadave

Security Profiles...Intrusion Protection

Edit a policy

In the policy under Action choose Quarantine and then choose for how long under "Expires".

I like to use a IPS rule at the top of all of my polices that includes the ZmEu, Morfeus, and Nessus vuln scanners.  If anyone hits me with those, they get banned.  Stops a lot of traffic.  External managed security indicates the first two are very common initial recon attempts.

View solution in original post

7 REPLIES 7
pcraponi
Contributor II

Maybe the internal user has clicked on a website link that has a homograph attack.

 

The best way to discover what happened, is enable "Packet Logging" on IPS profile. So, you can get the PCAP of the signature trigger on FortiAnalyzer and see what is the behavior.

 

The direction of the attack is irrelevant. The IPS signature trigger the source and the destination of the packet.

 

 

BR,

Paulo Raponi

Regards, Paulo Raponi

Regards, Paulo Raponi
leila07

Thanks Paulo for the reply, maybe your guess is true.

but even if we suppose that it was true, the user sould be the victim of the attack not the web site.

on the other hand, the "Packet Logging" is already enabled. how can I get the PCAP of the signature trigger on FortiAnalyzer and see what is the behavior??

seadave
Contributor III

I've seen the same issue on 100D 4.3.18.  I have my IPS rules set to ban IPs that trigger them externally.  This normally works fine, but I've noticed that for the OpenSSL.TLS.Heartbeat.Information.Disclosure, the internal host IP gets blocked instead of the external attacking source.  I'm guessing that is because the signature doesn't detect the attack until the response.  Seems like it should NOT be happening that way though.  My guess is this happens because the connection is encrypted.

 

Other attacks and vuln scans end up being blocked and banned as one would like them to be.

Big_Abe

dfollis wrote:

I have my IPS rules set to ban IPs that trigger them externally. 

This was working great on an inherited 5.0 800C.  However, I've since upgraded to 5.2.1 and have no IDEA where this was set.  How did you turn this on?  I would love to auto-ban pesky IPs.  It would certainly clean up my alerting.

 

 

FCNSP

-------------------------------------

"They have us surrounded again, those poor bastards."

-Unnamed Medic

FCNSP ------------------------------------- "They have us surrounded again, those poor bastards." -Unnamed Medic
seadave

Security Profiles...Intrusion Protection

Edit a policy

In the policy under Action choose Quarantine and then choose for how long under "Expires".

I like to use a IPS rule at the top of all of my polices that includes the ZmEu, Morfeus, and Nessus vuln scanners.  If anyone hits me with those, they get banned.  Stops a lot of traffic.  External managed security indicates the first two are very common initial recon attempts.

Big_Abe

Thank-you very much good Sir!

FCNSP

-------------------------------------

"They have us surrounded again, those poor bastards."

-Unnamed Medic

FCNSP ------------------------------------- "They have us surrounded again, those poor bastards." -Unnamed Medic
Shawn_W

Great information.  Thank you for sharing.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors