Re: SA rule: fortinet attachment removed

Tue, 27 Sep 2022 06:21:44 -0700 

On 27.09.22 07:56, Kevin A. McGrail wrote:
I use upstream filtering all the time to add points with SA but I typically due it with headers.  Does Fortinet add any headers? 

it does for spam detection, not when it removed suspicious attachments.


Especially depending on the size of emails, the attachment parsing 
plugins like OCR you might have, etc. your rule could get pretty heavy 
in terms of parsing.


correct, that's why I better not try this.


FuzzyOCR was good plugin and ExtractText is excelent, but OCR takes too much 
of CPU time.



However, since this is a rule giving points, no bad actor is going to 
simulate it.  You might just do a meta rule of some smaller key 
points:


body /dangerous attachment removed/i

uri /fortinet\.com\/ve\?vid=\d+/



Of course, this rule will hit on this email on your system which is 
why a header is best :-)



This is another reason why I want to be careful about rules, not to match 
too much.


I have modified the rule a bit, looks attachments can have spaces in names.

Also, rawbody should prevent SA from concatenating multiple spaces.

rawbody FORTI_ATT_REMOVED /^Dangerous attachment removed\.  The file \".{0,255}\" was infected with the 
\"\S{0,63}\" virus\. It has been removed and quarantined as: 
\"\S{0,31}\"\.\"https?:\/\/www\.fortinet\.com\//



I'd prefer only checking at beginning of body (for mail that has no 
attachments) or at beginning of each attachment, and only text/plain 
attachments/body.




On 9/26/2022 12:20 PM, Matus UHLAR - fantomas wrote:

some of mailservers I admin are behind fortinet device that does 
content inspection and removes viruses by replacing them with 
content:


------=_NextPart_000_0012_F7463AA1.9316ADCB
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Length: 221
Connection: Close


Dangerous attachment removed.  The file "ORDER_00812387.xlsx" was 
infected with the "MSExcel/CVE_2017_11882!exploit" virus. It has 
been removed and quarantined as: 
"[disabled]"."http://www.fortinet.com/ve?vid=10022639";.

------=_NextPart_000_0012_F7463AA1.9316ADCB--



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.






















					Reply via email to