On 27.09.22 07:56, Kevin A. McGrail wrote:
I use upstream filtering all the time to add points with SA but I
typically due it with headers. Does Fortinet add any headers?
it does for spam detection, not when it removed suspicious attachments.
Especially depending on the size of emails, the attachment parsing
plugins like OCR you might have, etc. your rule could get pretty heavy
in terms of parsing.
correct, that's why I better not try this.
FuzzyOCR was good plugin and ExtractText is excelent, but OCR takes too much
of CPU time.
However, since this is a rule giving points, no bad actor is going to
simulate it. You might just do a meta rule of some smaller key
points:
body /dangerous attachment removed/i
uri /fortinet\.com\/ve\?vid=\d+/
Of course, this rule will hit on this email on your system which is
why a header is best :-)
This is another reason why I want to be careful about rules, not to match
too much.
I have modified the rule a bit, looks attachments can have spaces in names.
Also, rawbody should prevent SA from concatenating multiple spaces.
rawbody FORTI_ATT_REMOVED /^Dangerous attachment removed\. The file \".{0,255}\" was infected with the
\"\S{0,63}\" virus\. It has been removed and quarantined as:
\"\S{0,31}\"\.\"https?:\/\/www\.fortinet\.com\//
I'd prefer only checking at beginning of body (for mail that has no
attachments) or at beginning of each attachment, and only text/plain
attachments/body.
On 9/26/2022 12:20 PM, Matus UHLAR - fantomas wrote:
some of mailservers I admin are behind fortinet device that does
content inspection and removes viruses by replacing them with
content:
------=_NextPart_000_0012_F7463AA1.9316ADCB
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Length: 221
Connection: Close
Dangerous attachment removed. The file "ORDER_00812387.xlsx" was
infected with the "MSExcel/CVE_2017_11882!exploit" virus. It has
been removed and quarantined as:
"[disabled]"."http://www.fortinet.com/ve?vid=10022639".
------=_NextPart_000_0012_F7463AA1.9316ADCB--
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.