Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Custom IPS signature for Fortigate / block smtp auth failure

Posted on 2015-01-20
2
Medium Priority
?
1,781 Views
Last Modified: 2015-01-21
We are regularly getting smtp auth failures on our email gateway. it used to be 535 and have changed to 504 ever since we forced smtp/tls and blocked ssl and weak cipher.

Is there a custom signature to monitor and block this on the fortigate firewall. running 5.0.10 on 60D fortigate.
0
Comment
Question by:Rajkumar Kamath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40563466
Typically as mentioned the smtp error 535 and 504 are pertaining to authentication issue, in this case the former is having incorrect password or account name and latter is likely unrecognized authentication type or need to authenticate first.

You can check out the below for custom signature, here is one example shared the custom signature that allows for 10 failures within a 2 minutes period. Typically to trigger a brute force attack against a SMTP user mailbox. Good to normalise it with your environment and monitor prior to blocking as required. There are other in the blog as well based on src ip
config ips custom
    edit "SMTP_AUTH01"
        set signature "F-SBID( --attack_id 7393;  --revision 1; --name \"SMTP_AUTH_FAILURE01\"; --service SMTP; --protocol tcp; --tcp_flags PA; --pattern \"535 Authentication failed. Restarting authentication process\"; --flow from_server,reversed; --track dst_ip; --rate 10,120; )"
    next
end

Open in new window

http://socpuppet.blogspot.sg/2014/07/example-fo-smpauth-protection-fortigate.html
For custom signature, there is another generic from Fortinet doc for reference in steps. This case shared creating custom signature looking for signature pattern of "vrfy" in service/protocol SMTP/tcp
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/ips_signatures.153.6.html
0
 

Author Closing Comment

by:Rajkumar Kamath
ID: 40563703
Mnay thanks for the suggestion. have put them in and seems to be doing it properly. Can see quite a lot of attempts beingblocked.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question