Hot!HTTP EVADER

Author
leonardo.ortiz
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/04 06:46:12
  • Status: offline
2018/08/07 20:12:35 (permalink)
0

HTTP EVADER

Hello.
 
Fortigate can't pass in http evader tests from noxxi.de, using SSL Deep Inspection, AV, IPS etc. Running last FortiOS 5.6.
Have some recommendation or best pratice for attacks like this?
Test: https://noxxi.de/research/http-evader-testsite.html
 
post edited by leonardo.ortiz - 2018/08/07 20:22:24
#1

6 Replies Related Threads

    Hosemacht
    Silver Member
    • Total Posts : 64
    • Scores: 3
    • Reward points: 0
    • Joined: 2017/04/18 04:06:13
    • Location: Upper Austria
    • Status: offline
    Re: HTTP EVADER 2018/08/07 22:48:10 (permalink)
    0
    Hey there,
     
    yes fortios 5.6 can pass this test.
     
    update to the latest 5.6 (5.6.5) and then
    you have to enable av heuristics and most important use the extendet ips database and then set Action to block
    in the security profiles.
    if you use "default" instead of "block" in the ips profile, the eicar Virus will not be blocked.
     
    run the test again
    #2
    OberonX
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/09 13:42:58
    • Location: Mexico
    • Status: offline
    Re: HTTP EVADER 2020/01/09 13:46:12 (permalink)
    0
    Hi, I followed the steps mentioned but I still don't pass the evader test, I´m running FortiOS 6.0.8 version
    #3
    Hosemacht
    Silver Member
    • Total Posts : 64
    • Scores: 3
    • Reward points: 0
    • Joined: 2017/04/18 04:06:13
    • Location: Upper Austria
    • Status: offline
    Re: HTTP EVADER 2020/01/09 22:52:36 (permalink)
    0
    Hey there,
     
    please have a look at you ips logs, are there any eicar virus test file messages and are they blocked?
     
    Regards

    sudo apt-get-rekt
    #4
    Hosemacht
    Silver Member
    • Total Posts : 64
    • Scores: 3
    • Reward points: 0
    • Joined: 2017/04/18 04:06:13
    • Location: Upper Austria
    • Status: offline
    Re: HTTP EVADER 2020/01/10 02:42:25 (permalink)
    0
    today i did another test from the http evader site, all eicar.zip files were blocked by our fortigate alongside
    with other ips attacks.
     
    We're currently on FortiOS 6.0.7
     
    Regards from the Alps

    sudo apt-get-rekt
    #5
    OberonX
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/09 13:42:58
    • Location: Mexico
    • Status: offline
    Re: HTTP EVADER 2020/01/10 13:58:22 (permalink)
    0
    Additionally enable the option indicated in Antivirus the option of

    Use Virus Outbreak Prevention Database

    Use FortiSandbox Database

    With this enabled it still appears as if it were evading but the EICAR file is no longer downloaded but a text file


    QROLAB # execute log display
    100 logs found.
    10 logs returned.
    1: date=2020-01-10 time=15:41:29 logid="0419016385" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578692489 severity="low" srcip=10.2.2.23 srccountry="Reserved" dstip=13.107.18.11 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=251330 action="reset" proto=1 service="PING" policyid=2 attack="Traceroute" direction="outgoing" icmpid="0x0001" icmptype="0x08" icmpcode="0x00" attackid=12466 profile="default" ref="http://www.fortinet.com/ids/VID12466" incidentserialno=1235898464 msg="icmp: Traceroute," crscore=5 crlevel="low"
    2: date=2020-01-10 time=15:41:04 logid="0419016385" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578692464 severity="low" srcip=10.2.2.23 srccountry="Reserved" dstip=13.107.18.254 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=251204 action="reset" proto=1 service="PING" policyid=2 attack="Traceroute" direction="outgoing" icmpid="0x0001" icmptype="0x08" icmpcode="0x00" attackid=12466 profile="default" ref="http://www.fortinet.com/ids/VID12466" incidentserialno=1235898398 msg="icmp: Traceroute," crscore=5 crlevel="low"
    3: date=2020-01-10 time=15:40:39 logid="0419016385" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578692439 severity="low" srcip=10.2.2.23 srccountry="Reserved" dstip=40.100.137.50 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=251048 action="reset" proto=1 service="PING" policyid=2 attack="Traceroute" direction="outgoing" icmpid="0x0001" icmptype="0x08" icmpcode="0x00" attackid=12466 profile="default" ref="http://www.fortinet.com/ids/VID12466" incidentserialno=1235898328 msg="icmp: Traceroute," crscore=5 crlevel="low"
    4: date=2020-01-10 time=15:39:47 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578692387 severity="low" srcip=10.2.2.23 srccountry="Reserved" dstip=68.67.179.113 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=250628 action="reset" proto=6 service="SSL" policyid=2 attack="TCP.Overlapping.Fragments" srcport=53625 dstport=443 hostname="ib.adnxs.com" url="/" direction="outgoing" attackid=29511 profile="default" ref="http://www.fortinet.com/ids/VID29511" incidentserialno=1235898164 msg="a-ipdf: TCP.Overlapping.Fragments, seq 2815027344, ack 2923888758, flags AP" crscore=5 crlevel="low"
    5: date=2020-01-10 time=15:29:04 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578691744 severity="low" srcip=10.2.2.20 srccountry="Reserved" dstip=35.186.224.53 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=246163 action="reset" proto=6 service="SSL" policyid=2 attack="TCP.Overlapping.Fragments" srcport=50649 dstport=443 hostname="spclient.wg.spotify.com" url="/" direction="outgoing" attackid=29511 profile="default" ref="http://www.fortinet.com/ids/VID29511" incidentserialno=1235895321 msg="a-ipdf: TCP.Overlapping.Fragments, seq 2402545591, ack 1096192562, flags AP" crscore=5 crlevel="low"
    6: date=2020-01-10 time=15:12:47 logid="0419016385" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578690767 severity="low" srcip=10.2.2.7 srccountry="Reserved" dstip=13.107.18.11 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=241510 action="reset" proto=1 service="PING" policyid=2 attack="Traceroute" direction="outgoing" icmpid="0x0001" icmptype="0x08" icmpcode="0x00" attackid=12466 profile="default" ref="http://www.fortinet.com/ids/VID12466" incidentserialno=1235892953 msg="icmp: Traceroute," crscore=5 crlevel="low"
    7: date=2020-01-10 time=15:12:22 logid="0419016385" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578690742 severity="low" srcip=10.2.2.7 srccountry="Reserved" dstip=13.107.42.11 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=241416 action="reset" proto=1 service="PING" policyid=2 attack="Traceroute" direction="outgoing" icmpid="0x0001" icmptype="0x08" icmpcode="0x00" attackid=12466 profile="default" ref="http://www.fortinet.com/ids/VID12466" incidentserialno=1235892924 msg="icmp: Traceroute," crscore=5 crlevel="low"
    8: date=2020-01-10 time=15:11:57 logid="0419016385" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578690717 severity="low" srcip=10.2.2.7 srccountry="Reserved" dstip=52.98.0.194 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=241337 action="reset" proto=1 service="PING" policyid=2 attack="Traceroute" direction="outgoing" icmpid="0x0001" icmptype="0x08" icmpcode="0x00" attackid=12466 profile="default" ref="http://www.fortinet.com/ids/VID12466" incidentserialno=1235892890 msg="icmp: Traceroute," crscore=5 crlevel="low"
    9: date=2020-01-10 time=15:02:48 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578690168 severity="info" srcip=10.2.2.7 srccountry="Reserved" dstip=52.114.169.0 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=237965 action="reset" proto=6 service="SSL" policyid=2 attack="SSL.Anonymous.Ciphers.Negotiation" srcport=50024 dstport=443 url="/" direction="outgoing" attackid=43544 profile="default" ref="http://www.fortinet.com/ids/VID43544" incidentserialno=1235891017 msg="applications3: SSL.Anonymous.Ciphers.Negotiation,"
    10: date=2020-01-10 time=15:02:48 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578690168 severity="info" srcip=10.2.2.7 srccountry="Reserved" dstip=52.114.169.0 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=237964 action="reset" proto=6 service="SSL" policyid=2 attack="SSL.Anonymous.Ciphers.Negotiation" srcport=50018 dstport=443 url="/" direction="outgoing" attackid=43544 profile="default" ref="http://www.fortinet.com/ids/VID43544" incidentserialno=1235891014 msg="applications3: SSL.Anonymous.Ciphers.Negotiation,"

    QROLAB # execute log display
    100 logs found.
    10 logs returned.
    11: date=2020-01-10 time=15:01:51 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578690111 severity="low" srcip=10.2.2.20 srccountry="Reserved" dstip=17.249.57.246 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=237511 action="reset" proto=6 service="tcp/5224" policyid=2 attack="TCP.Data.On.SYN" srcport=61303 dstport=5224 direction="outgoing" attackid=107937798 profile="default" ref="http://www.fortinet.com/ids/VID107937798" incidentserialno=1235890738 msg="tcp_reassembler: TCP.Data.On.SYN, seq 486587968, ack 0, flags S" crscore=5 crlevel="low"
    12: date=2020-01-10 time=14:56:04 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578689764 severity="info" srcip=10.2.2.3 srccountry="Reserved" dstip=38.128.66.43 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=235384 action="reset" proto=6 service="HTTP" policyid=2 attack="HTTP.Unknown.Tunnelling" srcport=41238 dstport=80 direction="outgoing" attackid=107347981 profile="default" ref="http://www.fortinet.com/ids/VID107347981" incidentserialno=1235889237 msg="http_decoder: HTTP.Unknown.Tunnelling,"
    13: date=2020-01-10 time=14:45:08 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578689108 severity="info" srcip=10.2.2.11 srccountry="Reserved" dstip=52.208.182.101 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=231652 action="reset" proto=6 service="HTTP" policyid=2 attack="HTTP.Unknown.Tunnelling" srcport=59026 dstport=80 url="/" direction="outgoing" attackid=107347981 profile="default" ref="http://www.fortinet.com/ids/VID107347981" incidentserialno=1235887026 msg="http_decoder: HTTP.Unknown.Tunnelling,"
    14: date=2020-01-10 time=13:52:38 logid="0419016385" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578685958 severity="low" srcip=10.2.2.9 srccountry="Reserved" dstip=52.96.22.178 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=216014 action="reset" proto=1 service="PING" policyid=2 attack="Traceroute" direction="outgoing" icmpid="0x0001" icmptype="0x08" icmpcode="0x00" attackid=12466 profile="default" ref="http://www.fortinet.com/ids/VID12466" incidentserialno=1235878745 msg="icmp: Traceroute," crscore=5 crlevel="low"
    15: date=2020-01-10 time=13:52:15 logid="0419016385" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578685935 severity="low" srcip=10.2.2.9 srccountry="Reserved" dstip=52.98.4.82 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=215921 action="reset" proto=1 service="PING" policyid=2 attack="Traceroute" direction="outgoing" icmpid="0x0001" icmptype="0x08" icmpcode="0x00" attackid=12466 profile="default" ref="http://www.fortinet.com/ids/VID12466" incidentserialno=1235878688 msg="icmp: Traceroute," crscore=5 crlevel="low"
    16: date=2020-01-10 time=13:51:50 logid="0419016385" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578685910 severity="low" srcip=10.2.2.9 srccountry="Reserved" dstip=204.79.197.254 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=215838 action="reset" proto=1 service="PING" policyid=2 attack="Traceroute" direction="outgoing" icmpid="0x0001" icmptype="0x08" icmpcode="0x00" attackid=12466 profile="default" ref="http://www.fortinet.com/ids/VID12466" incidentserialno=1235878647 msg="icmp: Traceroute," crscore=5 crlevel="low"
    17: date=2020-01-10 time=13:38:32 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578685112 severity="low" srcip=10.2.2.9 srccountry="Reserved" dstip=52.114.128.9 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=211707 action="reset" proto=6 service="SSL" policyid=2 attack="TCP.Overlapping.Fragments" srcport=55912 dstport=443 hostname="browser.pipe.aria.microsoft.com" url="/" direction="outgoing" attackid=29511 profile="default" ref="http://www.fortinet.com/ids/VID29511" incidentserialno=1235876750 msg="a-ipdf: TCP.Overlapping.Fragments, seq 1413733765, ack 1527429127, flags AP" crscore=5 crlevel="low"
    18: date=2020-01-10 time=13:38:21 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578685101 severity="low" srcip=10.2.2.4 srccountry="Reserved" dstip=17.249.57.246 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=211941 action="reset" proto=6 service="tcp/5224" policyid=2 attack="TCP.Data.On.SYN" srcport=49921 dstport=5224 direction="outgoing" attackid=107937798 profile="default" ref="http://www.fortinet.com/ids/VID107937798" incidentserialno=1235876711 msg="tcp_reassembler: TCP.Data.On.SYN, seq 1757663737, ack 0, flags S" crscore=5 crlevel="low"
    19: date=2020-01-10 time=13:14:48 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578683688 severity="info" srcip=10.2.2.11 srccountry="Reserved" dstip=52.17.187.212 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=202043 action="reset" proto=6 service="HTTP" policyid=2 attack="HTTP.Unknown.Tunnelling" srcport=48782 dstport=80 hostname="velb-pue1gld-312177699.eu-west-1.elb.amazonaws.com" url="/" direction="outgoing" attackid=107347981 profile="default" ref="http://www.fortinet.com/ids/VID107347981" incidentserialno=1235871931 msg="http_decoder: HTTP.Unknown.Tunnelling,"
    20: date=2020-01-10 time=13:10:58 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1578683458 severity="low" srcip=10.2.2.12 srccountry="Reserved" dstip=17.57.144.180 srcintf="ALESTRA" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" sessionid=200524 action="reset" proto=6 service="SSL" policyid=2 attack="TCP.Overlapping.Fragments" srcport=56345 dstport=5223 hostname="courier.push.apple.com" url="/" direction="outgoing" attackid=29511 profile="default" ref="http://www.fortinet.com/ids/VID29511" incidentserialno=1235871157 msg="a-ipdf: TCP.Overlapping.Fragments, seq 3313086100, ack 2333705023, flags AP" crscore=5 crlevel="low"
     
     
     

     
    #6
    Hosemacht
    Silver Member
    • Total Posts : 64
    • Scores: 3
    • Reward points: 0
    • Joined: 2017/04/18 04:06:13
    • Location: Upper Austria
    • Status: offline
    Re: HTTP EVADER 2020/01/14 03:48:21 (permalink)
    0
    Your logs tell me that you are using the default ips profile.
    please check if you enabled all signature severenitys and set the action to block.
     
    run the test again.
     
    Regards
    post edited by Hosemacht - 2020/01/14 03:53:21

    sudo apt-get-rekt
    #7
    Jump to:
    © 2020 APG vNext Commercial Version 5.5