Solved

Custom IPS signature for Fortigate / block smtp auth failure

Posted on 2015-01-20
2
1,372 Views
Last Modified: 2015-01-21
We are regularly getting smtp auth failures on our email gateway. it used to be 535 and have changed to 504 ever since we forced smtp/tls and blocked ssl and weak cipher.

Is there a custom signature to monitor and block this on the fortigate firewall. running 5.0.10 on 60D fortigate.
0
Comment
Question by:Rajkumar Kamath
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40563466
Typically as mentioned the smtp error 535 and 504 are pertaining to authentication issue, in this case the former is having incorrect password or account name and latter is likely unrecognized authentication type or need to authenticate first.

You can check out the below for custom signature, here is one example shared the custom signature that allows for 10 failures within a 2 minutes period. Typically to trigger a brute force attack against a SMTP user mailbox. Good to normalise it with your environment and monitor prior to blocking as required. There are other in the blog as well based on src ip
config ips custom
    edit "SMTP_AUTH01"
        set signature "F-SBID( --attack_id 7393;  --revision 1; --name \"SMTP_AUTH_FAILURE01\"; --service SMTP; --protocol tcp; --tcp_flags PA; --pattern \"535 Authentication failed. Restarting authentication process\"; --flow from_server,reversed; --track dst_ip; --rate 10,120; )"
    next
end

Open in new window

http://socpuppet.blogspot.sg/2014/07/example-fo-smpauth-protection-fortigate.html
For custom signature, there is another generic from Fortinet doc for reference in steps. This case shared creating custom signature looking for signature pattern of "vrfy" in service/protocol SMTP/tcp
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/ips_signatures.153.6.html
0
 

Author Closing Comment

by:Rajkumar Kamath
ID: 40563703
Mnay thanks for the suggestion. have put them in and seems to be doing it properly. Can see quite a lot of attempts beingblocked.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
wireshark 2 computers 8 72
GPO - Prevent user group from saving files locally C; 8 83
PCI compliance 16 51
What does GoogleTagMgr javascripts below do 5 36
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question