Hello,
the Integrated IPS fortigate detected an attempted attack: browser.spoofing.IDN.attempt according to the attack report, the source of attack is an internal address and the destination is an external address of a Web site.
my question is: how could the internal address be the source of attack if the vulnerability affects the browser ??
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Security Profiles...Intrusion Protection
Edit a policy
In the policy under Action choose Quarantine and then choose for how long under "Expires".
I like to use a IPS rule at the top of all of my polices that includes the ZmEu, Morfeus, and Nessus vuln scanners. If anyone hits me with those, they get banned. Stops a lot of traffic. External managed security indicates the first two are very common initial recon attempts.
Maybe the internal user has clicked on a website link that has a homograph attack.
The best way to discover what happened, is enable "Packet Logging" on IPS profile. So, you can get the PCAP of the signature trigger on FortiAnalyzer and see what is the behavior.
The direction of the attack is irrelevant. The IPS signature trigger the source and the destination of the packet.
BR,
Paulo Raponi
Regards, Paulo Raponi
Thanks Paulo for the reply, maybe your guess is true.
but even if we suppose that it was true, the user sould be the victim of the attack not the web site.
on the other hand, the "Packet Logging" is already enabled. how can I get the PCAP of the signature trigger on FortiAnalyzer and see what is the behavior??
I've seen the same issue on 100D 4.3.18. I have my IPS rules set to ban IPs that trigger them externally. This normally works fine, but I've noticed that for the OpenSSL.TLS.Heartbeat.Information.Disclosure, the internal host IP gets blocked instead of the external attacking source. I'm guessing that is because the signature doesn't detect the attack until the response. Seems like it should NOT be happening that way though. My guess is this happens because the connection is encrypted.
Other attacks and vuln scans end up being blocked and banned as one would like them to be.
dfollis wrote:I have my IPS rules set to ban IPs that trigger them externally.
This was working great on an inherited 5.0 800C. However, I've since upgraded to 5.2.1 and have no IDEA where this was set. How did you turn this on? I would love to auto-ban pesky IPs. It would certainly clean up my alerting.
FCNSP
-------------------------------------
"They have us surrounded again, those poor bastards."
-Unnamed Medic
Security Profiles...Intrusion Protection
Edit a policy
In the policy under Action choose Quarantine and then choose for how long under "Expires".
I like to use a IPS rule at the top of all of my polices that includes the ZmEu, Morfeus, and Nessus vuln scanners. If anyone hits me with those, they get banned. Stops a lot of traffic. External managed security indicates the first two are very common initial recon attempts.
Thank-you very much good Sir!
FCNSP
-------------------------------------
"They have us surrounded again, those poor bastards."
-Unnamed Medic
Great information. Thank you for sharing.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1518 | |
1019 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.