SA rule: fortinet attachment removed

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

Hello,

some of mailservers I admin are behind fortinet device that does content 
inspection and removes viruses by replacing them with content:

------=_NextPart_000_0012_F7463AA1.9316ADCB
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Length: 221
Connection: Close

Dangerous attachment removed.  The file "ORDER_00812387.xlsx" was infected with the "MSExcel/CVE_2017_11882!exploit" virus. It has been removed and quarantined as: "[disabled]"."http://www.fortinet.com/ve?vid=10022639".
------=_NextPart_000_0012_F7463AA1.9316ADCB--

I created rule that should catch this content and award it:

body     FORTI_ATT_REMOVED  /^Dangerous attachment removed\.  The file \"\S{0,255}\" was infected with the \"\S{0,63}\" virus\. It has been removed and quarantined as: \"\S{0,31}\"."http:\/\/www\.fortinet\.com\//
describe FORTI_ATT_REMOVED  Dangerous attachment removed by Fortinet
score    FORTI_ATT_REMOVED  5

So far, all files I found are of small size (<100K), but can (and should) I 
somehow restrict search for this content only as beginning of attachments? 

Is there anything I should do better?

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete

Re: SA rule: fortinet attachment removed

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 27.09.22 07:56, Kevin A. McGrail wrote:
>I use upstream filtering all the time to add points with SA but I 
>typically due it with headers.  Does Fortinet add any headers?

it does for spam detection, not when it removed suspicious attachments.

>Especially depending on the size of emails, the attachment parsing 
>plugins like OCR you might have, etc. your rule could get pretty heavy 
>in terms of parsing.

correct, that's why I better not try this.

FuzzyOCR was good plugin and ExtractText is excelent, but OCR takes too much 
of CPU time.

>However, since this is a rule giving points, no bad actor is going to 
>simulate it.  You might just do a meta rule of some smaller key 
>points:
>
>body /dangerous attachment removed/i
>
>uri /fortinet\.com\/ve\?vid=\d+/

>Of course, this rule will hit on this email on your system which is 
>why a header is best :-)

This is another reason why I want to be careful about rules, not to match 
too much.

I have modified the rule a bit, looks attachments can have spaces in names.

Also, rawbody should prevent SA from concatenating multiple spaces.

rawbody FORTI_ATT_REMOVED /^Dangerous attachment removed\.  The file \".{0,255}\" was infected with the \"\S{0,63}\" virus\. It has been removed and quarantined as: \"\S{0,31}\"\.\"https?:\/\/www\.fortinet\.com\//


I'd prefer only checking at beginning of body (for mail that has no 
attachments) or at beginning of each attachment, and only text/plain 
attachments/body.


>On 9/26/2022 12:20 PM, Matus UHLAR - fantomas wrote:
>>some of mailservers I admin are behind fortinet device that does 
>>content inspection and removes viruses by replacing them with 
>>content:
>>
>>------=_NextPart_000_0012_F7463AA1.9316ADCB
>>Content-Type: text/plain; charset="utf-8"
>>Content-Transfer-Encoding: 8bit
>>Content-Length: 221
>>Connection: Close
>>
>>Dangerous attachment removed.  The file "ORDER_00812387.xlsx" was 
>>infected with the "MSExcel/CVE_2017_11882!exploit" virus. It has 
>>been removed and quarantined as: 
>>"[disabled]"."http://www.fortinet.com/ve?vid=10022639".
>>------=_NextPart_000_0012_F7463AA1.9316ADCB--


-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

Re: SA rule: fortinet attachment removed

["Kevin A. McGrail" <km...@apache.org>]

Hi matus,

I use upstream filtering all the time to add points with SA but I 
typically due it with headers.  Does Fortinet add any headers?

Especially depending on the size of emails, the attachment parsing 
plugins like OCR you might have, etc. your rule could get pretty heavy 
in terms of parsing.

However, since this is a rule giving points, no bad actor is going to 
simulate it.  You might just do a meta rule of some smaller key points:

body /dangerous attachment removed/i

uri /fortinet\.com\/ve\?vid=\d+/

Of course, this rule will hit on this email on your system which is why 
a header is best :-)

Regards,

KAM

On 9/26/2022 12:20 PM, Matus UHLAR - fantomas wrote:
> Hello,
>
> some of mailservers I admin are behind fortinet device that does 
> content inspection and removes viruses by replacing them with content:
>
> ------=_NextPart_000_0012_F7463AA1.9316ADCB
> Content-Type: text/plain; charset="utf-8"
> Content-Transfer-Encoding: 8bit
> Content-Length: 221
> Connection: Close
>
> Dangerous attachment removed.  The file "ORDER_00812387.xlsx" was 
> infected with the "MSExcel/CVE_2017_11882!exploit" virus. It has been 
> removed and quarantined as: 
> "[disabled]"."http://www.fortinet.com/ve?vid=10022639".
> ------=_NextPart_000_0012_F7463AA1.9316ADCB--
>
> I created rule that should catch this content and award it:
>
> body     FORTI_ATT_REMOVED  /^Dangerous attachment removed\.  The file 
> \"\S{0,255}\" was infected with the \"\S{0,63}\" virus\. It has been 
> removed and quarantined as: \"\S{0,31}\"."http:\/\/www\.fortinet\.com\//
> describe FORTI_ATT_REMOVED  Dangerous attachment removed by Fortinet
> score    FORTI_ATT_REMOVED  5
>
> So far, all files I found are of small size (<100K), but can (and 
> should) I somehow restrict search for this content only as beginning 
> of attachments?
> Is there anything I should do better?
>
-- 
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171