?
Solved

Custom IPS signature for Fortigate / block smtp auth failure

Posted on 2015-01-20
2
Medium Priority
?
1,657 Views
Last Modified: 2015-01-21
We are regularly getting smtp auth failures on our email gateway. it used to be 535 and have changed to 504 ever since we forced smtp/tls and blocked ssl and weak cipher.

Is there a custom signature to monitor and block this on the fortigate firewall. running 5.0.10 on 60D fortigate.
0
Comment
Question by:Rajkumar Kamath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40563466
Typically as mentioned the smtp error 535 and 504 are pertaining to authentication issue, in this case the former is having incorrect password or account name and latter is likely unrecognized authentication type or need to authenticate first.

You can check out the below for custom signature, here is one example shared the custom signature that allows for 10 failures within a 2 minutes period. Typically to trigger a brute force attack against a SMTP user mailbox. Good to normalise it with your environment and monitor prior to blocking as required. There are other in the blog as well based on src ip
config ips custom
    edit "SMTP_AUTH01"
        set signature "F-SBID( --attack_id 7393;  --revision 1; --name \"SMTP_AUTH_FAILURE01\"; --service SMTP; --protocol tcp; --tcp_flags PA; --pattern \"535 Authentication failed. Restarting authentication process\"; --flow from_server,reversed; --track dst_ip; --rate 10,120; )"
    next
end

Open in new window

http://socpuppet.blogspot.sg/2014/07/example-fo-smpauth-protection-fortigate.html
For custom signature, there is another generic from Fortinet doc for reference in steps. This case shared creating custom signature looking for signature pattern of "vrfy" in service/protocol SMTP/tcp
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/ips_signatures.153.6.html
0
 

Author Closing Comment

by:Rajkumar Kamath
ID: 40563703
Mnay thanks for the suggestion. have put them in and seems to be doing it properly. Can see quite a lot of attempts beingblocked.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
We aren’t perfect, just like everyone else.  Check out the email errors our community caught and learn the top errors every email marketer should avoid.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question