Saturday, August 2, 2014

How to write IPS signature to block email to user with a Fortigate

In this blog we will use a ascii text to hex creator,  and then build a IPS signature to block emails sent that contains the user email address. The ascii2hex creator will help with writing the rule.

1st here's a link to a simple online  ascii-2-hex creator.

 2nd the user we craft will be  the following;

Okay now that's out if the way, let look  at the steps.

1: the  email message will have the lines  for <> so for my  user above we will use the following;

for <>

2: so that means in our ascii-2hex creator we will need to know the  hex values. Each ascii character will generatet a 2 value in hex.

3:So  the line  the for <>  will create the following;

66 6f 72 20 3c 6b 65 6e 66 65 6c 69 78 40 73 6f 63 70 75 70 70 65 74 73 2e 63 6f 6d 3e

4: for writing the signature, we will need to remove the white spaces. This will result in the following below.


 5: now we write the signature with the match pattern being our hex string that we crafted with the ascii2hex creator.

config ips custom

 edit "EmailBlockKenfelix
        set signature "F-SBID( --attack_id 1183;  --revision 1; --name \"BlockMailKenFelix\"; --service SMTP; --protocol tcp; --tcp_flags A; --pattern |666f72203c6b656e66656c697840736f63707570706574732e636f6d3e| ; --no_case; --flow from_client;)"


So now you can build a IPS sensor and apply this custom signature within your  IPS sensor. Select the appropiate action ( block pass rest) and logging  to include or not include packet-log

You can get creative and write the same thing but block maybe emails from a particular sender 's email address.

e.g ( if the sender was )

The ascii  line to match would be from  <> and hex values ;

66 72 6f 6d 20 20 3c 6b 65 6e 66 65 6c 69 78 40 73 6f 63 70 75 70 70 65 74 73 2e 63 6f 6d 3e

note: you can use the unix  command od as alternative.

e.g echo -n "from  <>" | od -t x1 -A n

keypoints to take away

  • writings IPS signatures for fortigates firewalls, requires creative thinking
  • you can block on the To: recipient or/and Copied recipients
  • this rule would be ineffective for SMTP/S connections
  • try to write rules to be efficient ( match on the following; TCpflag, offset/depth, specifics for the pattern )

Ken Felix
Security and Network  Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   -   - )=
      /     \

No comments:

Post a Comment