Hot!Exe file blocking using custom IPS Signature

Author
Mohammed Khan
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/25 06:41:14
  • Status: offline
2019/03/19 09:15:42 (permalink)
0

Exe file blocking using custom IPS Signature

I've configure fortigate  firewall NGFW in flow mode , i need to block exe download using custom IPS signature.
 
Please can anyone help to write custom ips signature for blocking exe download.
 
 
#1

2 Replies Related Threads

    ESarac
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/20 09:07:33
    • Status: offline
    Re: Exe file blocking using custom IPS Signature 2019/09/20 09:12:12 (permalink)
    0
    I also need help with this exact problem please. While I found some documentation on how to create a custom IPS signature, it looks complex and syntax is very picky:
     
    https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/IPS/Creating%20a%20custom%20signature%20to%20block%20access%20to%20example.com.htm
     
    Based on the above example, I attempted to create a custom signature to try to block one executable (Winzip):
     
    F-SBID ( --name "Block Executables"; ‑‑pattern "winzip24-home.exe"; ‑‑service HTTP; --protocol tcp; --no_case; ‑‑flow from_client; ‑‑context host; )
     
    However, I can't even save the query as I keep getting "Failed to save changes". Some investigation pointed me to needing to use a "category" option but I have no idea what category I would even use.
    #2
    ede_pfau
    Expert Member
    • Total Posts : 6068
    • Scores: 488
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Exe file blocking using custom IPS Signature 2019/09/21 13:38:17 (permalink)
    0
    IMHO IPS is the wrong tool for this. Use Data Leak Prevention (DLP) instead.
    Instead of the default application of preventing data transfer from inside to outside, you can use it to prevent transfers in the opposite direction as well. For this, use it in the policy from LAN to WAN (as download sessions are initiated from the LAN).
     
    First, enable DLP menu item in System>Features.
    Then create a DLP sensor, containing a DLP filter (the concept is similar to IPS).
    I was happy to see that the DLP can scan data and detect file types instead of looking at the file name/extension only. So I created a filter to block "Executable (exe)" and "Windows Installer Package (msi)".
     
    This works for *.msi files. You can check the correct detection in the logs.
    BUT...
    for executables, the file type is detected as "Unknown", and thus transfers are not blocked.
    If I add a filename pattern of "*.exe", transfers are blocked. But we all agree that this can be circumvented too easily.
     
    All of this in v6.0.6. Maybe one of you has got an idea why this important file type is not detected.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5