Solved

Custom IPS signature for Fortigate / block smtp auth failure

Posted on 2015-01-20
2
1,541 Views
Last Modified: 2015-01-21
We are regularly getting smtp auth failures on our email gateway. it used to be 535 and have changed to 504 ever since we forced smtp/tls and blocked ssl and weak cipher.

Is there a custom signature to monitor and block this on the fortigate firewall. running 5.0.10 on 60D fortigate.
0
Comment
Question by:Rajkumar Kamath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40563466
Typically as mentioned the smtp error 535 and 504 are pertaining to authentication issue, in this case the former is having incorrect password or account name and latter is likely unrecognized authentication type or need to authenticate first.

You can check out the below for custom signature, here is one example shared the custom signature that allows for 10 failures within a 2 minutes period. Typically to trigger a brute force attack against a SMTP user mailbox. Good to normalise it with your environment and monitor prior to blocking as required. There are other in the blog as well based on src ip
config ips custom
    edit "SMTP_AUTH01"
        set signature "F-SBID( --attack_id 7393;  --revision 1; --name \"SMTP_AUTH_FAILURE01\"; --service SMTP; --protocol tcp; --tcp_flags PA; --pattern \"535 Authentication failed. Restarting authentication process\"; --flow from_server,reversed; --track dst_ip; --rate 10,120; )"
    next
end

Open in new window

http://socpuppet.blogspot.sg/2014/07/example-fo-smpauth-protection-fortigate.html
For custom signature, there is another generic from Fortinet doc for reference in steps. This case shared creating custom signature looking for signature pattern of "vrfy" in service/protocol SMTP/tcp
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/ips_signatures.153.6.html
0
 

Author Closing Comment

by:Rajkumar Kamath
ID: 40563703
Mnay thanks for the suggestion. have put them in and seems to be doing it properly. Can see quite a lot of attempts beingblocked.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question