?
Solved

Custom IPS signature for Fortigate / block smtp auth failure

Posted on 2015-01-20
2
Medium Priority
?
1,861 Views
Last Modified: 2015-01-21
We are regularly getting smtp auth failures on our email gateway. it used to be 535 and have changed to 504 ever since we forced smtp/tls and blocked ssl and weak cipher.

Is there a custom signature to monitor and block this on the fortigate firewall. running 5.0.10 on 60D fortigate.
0
Comment
Question by:Rajkumar Kamath
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40563466
Typically as mentioned the smtp error 535 and 504 are pertaining to authentication issue, in this case the former is having incorrect password or account name and latter is likely unrecognized authentication type or need to authenticate first.

You can check out the below for custom signature, here is one example shared the custom signature that allows for 10 failures within a 2 minutes period. Typically to trigger a brute force attack against a SMTP user mailbox. Good to normalise it with your environment and monitor prior to blocking as required. There are other in the blog as well based on src ip
config ips custom
    edit "SMTP_AUTH01"
        set signature "F-SBID( --attack_id 7393;  --revision 1; --name \"SMTP_AUTH_FAILURE01\"; --service SMTP; --protocol tcp; --tcp_flags PA; --pattern \"535 Authentication failed. Restarting authentication process\"; --flow from_server,reversed; --track dst_ip; --rate 10,120; )"
    next
end

Open in new window

http://socpuppet.blogspot.sg/2014/07/example-fo-smpauth-protection-fortigate.html
For custom signature, there is another generic from Fortinet doc for reference in steps. This case shared creating custom signature looking for signature pattern of "vrfy" in service/protocol SMTP/tcp
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/ips_signatures.153.6.html
0
 

Author Closing Comment

by:Rajkumar Kamath
ID: 40563703
Mnay thanks for the suggestion. have put them in and seems to be doing it properly. Can see quite a lot of attempts beingblocked.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question