Fortinet Creating Custom Signatures to Block the SMTP VRFY Command on Fortigate
Page 35

 

 

 

Custom signatures

Creating custom signatures

Example 2: signature to block the SMTP ‘vrfy’ command

The SMTP vrfy command can be used to verify the existence of a single email address, or it can be used to list all of the valid email accounts on an email server. A spammer could potentially use this command to obtain a list of all valid email users and direct spam to their inboxes.

In this example, we will create a custom signature to block the use of the vrfy command. Since the custom signature blocks the vrfy command from coming through the FortiGate unit, the administrator can still use the command on the internal network.

1Custom signature basic format

All custom signatures have a header, and at least one keyword/value pair. The header is always the same:

F-SBID( )

The keyword/value pairs appear within the parentheses and each pair is followed by a semicolon.

2Choosing a name for the custom signature

Every custom signature requires a name, so it is good practice to assign a name before any other keywords are added.

Use the --namekeyword to assign the custom signature a name. The name value follows the keyword after a space. Enclose the name value in double- quotes:

F-SBID( --name "Block.SMTP.VRFY.CMD"; )

The signature, as it appears here, will not do anything if used. It has a name, but doesn’t look for any patterns in network traffic. You must specify a pattern for the FortiGate unit to search for.

3Adding a signature pattern

Use the --patternkeyword to specify what the FortiGate unit will search for:

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy"; )

The signature will now detect the vrfy command appearing in network traffic. The custom signature should only detect the command in SMTP traffic, however. Any other traffic with the pattern should be allowed to pass. For example, an Email message discussing the vrfy command should not be stopped.

4Specifying the service

Use the --servicekeyword to limit the effect of the custom signature to only the HTTP protocol.

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy"; --service SMTP; )

The FortiGate unit will limit its search for the pattern to the SMTP protocol.

Even though the SMTP protocol uses only TCP traffic, the FortiGate will search for SMTP protocol communication in TCP, UDP, and ICMP traffic. This is a needless waste of system resources.

5Specifying the traffic type.

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

35

Page 34 Page 36
Image 35
Page 34 Page 36
Contents E R G U I D E Trademarks Contents SYN flood attacks Protocol decodersIPS sensors DoS sensorsFortiGate IPS IntroductionTypographic conventions About this documentFortinet documentation Document conventionsFortiGate Pptp VPN User Guide Comments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center This section contains the following topics IPS overview and general configurationIPS settings and controls Config ips global Set fail-open enable disable end When to use IPSDefault signature and anomaly settings Default fail open settingControlling sessions Setting the buffer sizeConfiguring logging and alert email Monitoring the network and dealing with attacksAttack log messages Signature FortiGuard Center AnomalySelect Create New Using IPS sensors in a protection profileCreating a protection profile that uses IPS sensors Adding protection profiles to firewall policiesAdding protection profiles to user groups Using IPS sensors in a protection profile Viewing the predefined signature list Predefined signaturesIPS predefined signatures Clear All Filters SettingsEnable ColumnCreate a sensor and add IPS filters to it Viewing the predefined signature list Viewing the custom signature list Custom signaturesIPS custom signatures Command syntax pattern Custom signature configurationAdding custom signatures using the web-based manager Adding custom signatures using the CLIShows the valid characters for custom signature fields Creating custom signaturesCustom signature fields Srcport Custom signature syntaxAttackid Name BufferOverflowContent keywords Keyword and value Description Deprecated, see pattern and context keywords Context host Pattern GETContext uri Pattern yahoo.comUri !uristr PcreRegex/mdelim RegexdelimismxAEGRUIP header keywords Keyword and Value Description Protocol tcpTCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags APOther keywords Keyword and Value Description UDP header keywords Keyword and Value DescriptionIcmp keywords Keyword and Value Usage Sbid --name Block.example.com Example 1 signature to block access to example.comExample custom signatures Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD --pattern vrfy Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD Creating custom signatures Upgrading the IPS protocol decoder list Protocol decodersProtocol decoders Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder listViewing the IPS sensor list AlldefaultAlldefaultpass IPS sensorsProtectemailserver Configuring IPS sensorsAdding an IPS sensor ProtectclientIPS sensor filters IPS sensor attributesDelete and Edit Delete or edit the filter Icons Configuring filtersReset IPS sensor overridesApplication Configuring pre-defined and custom overridesSource Exempt IPDoS sensors Appears, and select OK Configuring DoS sensorsViewing the DoS sensor list Sequence in which the sensors examine network trafficWill appear in the DoS sensor list Anomaly configurationDoS sensor attributes Name Enter or change the DoS sensor name CommentsUnderstanding the anomalies Udpsrcsession Anomaly Description TcpdstsessionUdpflood UdpscanUnderstanding the anomalies How SYN floods work What is a SYN flood attack?SYN flood attacks How IPS works to prevent SYN floods What is SYN threshold?What is SYN proxy? FortiGate IPS Response to SYN flood attacksIPS operation before synflood threshold is reached Configure the options for tcpsynflood Select OK Configuring SYN flood protectionSuggested settings for different network conditions FortiGate IPS response to Icmp sweep attacks What is an Icmp sweep?Icmp sweep attacks How Icmp sweep attacks workPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide IndexTechnical support
Top Page Image Contents