1st here's a link to a simple online ascii-2-hex creator.
2nd the user we craft will be the following; email@example.com
Okay now that's out if the way, let look at the steps.
1: the email message will have the lines for <firstname.lastname@example.org> so for my user above we will use the following;
2: so that means in our ascii-2hex creator we will need to know the hex values. Each ascii character will generatet a 2 value in hex.
3:So the line the for <email@example.com> will create the following;
66 6f 72 20 3c 6b 65 6e 66 65 6c 69 78 40 73 6f 63 70 75 70 70 65 74 73 2e 63 6f 6d 3e
4: for writing the signature, we will need to remove the white spaces. This will result in the following below.
5: now we write the signature with the match pattern being our hex string that we crafted with the ascii2hex creator.
config ips custom
set signature "F-SBID( --attack_id 1183; --revision 1; --name \"BlockMailKenFelix\"; --service SMTP; --protocol tcp; --tcp_flags A; --pattern |666f72203c6b656e66656c697840736f63707570706574732e636f6d3e| ; --no_case; --flow from_client;)"
So now you can build a IPS sensor and apply this custom signature within your IPS sensor. Select the appropiate action ( block pass rest) and logging to include or not include packet-log
You can get creative and write the same thing but block maybe emails from a particular sender 's email address.
e.g ( if the sender was firstname.lastname@example.org )
The ascii line to match would be from <email@example.com> and hex values ;
66 72 6f 6d 20 20 3c 6b 65 6e 66 65 6c 69 78 40 73 6f 63 70 75 70 70 65 74 73 2e 63 6f 6d 3e
note: you can use the unix command od as alternative.
e.g echo -n "from <firstname.lastname@example.org>" | od -t x1 -A n
keypoints to take away
- writings IPS signatures for fortigates firewalls, requires creative thinking
- you can block on the To: recipient or/and Copied recipients
- this rule would be ineffective for SMTP/S connections
- try to write rules to be efficient ( match on the following; TCpflag, offset/depth, specifics for the pattern )
Security and Network Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
=( - - )=