04-15-2024 03:07 AM
I'm in the process of updating all our FTD's from Snort2 to Snort3 & almost everything appears to work, except SMTP/S email.
Under Snort2 it shows in event logs as SMTP/S Client traffic type correctly, but when Snort3 is enabled, it does not recognise some of the mail as SMTP/S & thus blocks it. I can't seem to find anything on the internet that implies there is any known issue, so I'm a bit perplexed as to why this should be.
Anyone come across anything similar or know what the issue could be ?
Thanks
04-15-2024 03:40 AM
System support trace
Write the IP or mail server and port
Abd check the action
Share here if yoh can
MHM
04-16-2024 05:38 AM
Thanks I'll give that a whirl & report back.
04-16-2024 07:26 AM - edited 04-16-2024 07:28 AM
So I did some captures & same as the FMC log, the AppID is Unknown.
IP's have been changed to dummy ones to protect the innocent, so don't bother looking them up.
This was a Telnet on port 25 to a target mail server that is giving problems & failed as expected when AppID showed as Telnet.
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Packet 1512686839: TCP ***A****, 04/16-13:45:24.065258, seq 466285998, ack 1781134703, dsize 0
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 AppID: service: (0), client: (0), payload: (0), misc: (0)
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Firewall: pending rule-matching, 'MailSRVs-2-Ext-Mail', nothing has changed
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Policies: Network 0, Inspection 0, Detection 6
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Verdict: pass
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Packet 1512686840: TCP ***AP***, 04/16-13:45:24.065258, seq 466285998, ack 1781134703, dsize 21
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 AppID: service: Telnet(861), client: (0), payload: (0), misc: (0)
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Firewall: starting rule matching, zone 6 -> 4, geo 0(0) -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Firewall: block rule, 'BLOCK-Rule', force_block
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Stream: pending block, drop
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Policies: Network 0, Inspection 0, Detection 6
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Verdict: blacklist
This is a new email sent from the mail server. Same server sends loads of SMTP/SMTPS messages, which are classified correctly by AppID as SMTP/S but this is one that fails;-
11.207.130.46 25 -> 172.16.101.15 50822 6 AS=0 ID=10 GR=1-1 Packet 1371903406: TCP ***AP***, 04/16-13:57:49.961025, seq 887063743, ack 3108563887, dsize 46
11.207.130.46 25 -> 172.16.101.15 50822 6 AS=0 ID=10 GR=1-1 AppID: service: (0), client: (0), payload: (0), misc: (0)
11.207.130.46 25 -> 172.16.101.15 50822 6 AS=0 ID=10 GR=1-1 Firewall: pending rule-matching, 'MailSRVs-2-Ext-Mail', nothing has changed
11.207.130.46 25 -> 172.16.101.15 50822 6 AS=0 ID=10 GR=1-1 Policies: Network 0, Inspection 0, Detection 6
11.207.130.46 25 -> 172.16.101.15 50822 6 AS=0 ID=10 GR=1-1 Verdict: pass
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Packet 1371903407: TCP ***A****, 04/16-13:57:49.961025, seq 3108563887, ack 887063789, dsize 1380
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 AppID: service: (-1), client: (0), payload: (0), misc: (0)
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Firewall: starting rule matching, zone 6 -> 4, geo 0(0) -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Firewall: block rule, 'BLOCK-Rule', force_block
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Stream: pending block, drop
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Policies: Network 0, Inspection 0, Detection 6
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Verdict: blacklist
Any ideas ?
I know its not our mail server, so could it be the remote mail server ?
04-16-2024 07:32 AM
AppID: service: Telnet(861)
The snort detect it as telnet not as email telnet extended.
This point to check
MHM
04-16-2024 07:38 AM
No Snort detected my manual Putty attempt to prove the trace was working as Telnet, because it was. But some actual email is not recognised, but was under Snort2 !? I have had a look back at our Syslog & can see the same SRC->DST being allowed right up until Snort3 was enabled !? Looking at FMC logs shows same DST IP from another location still running Snort2 as SMTPS traffic. Rules & Policies are identical. Only difference one locations FTD running Snort3 other still waiting for update & running Snort2.
Weird but true.
04-18-2024 12:57 AM
You need to use
System support trace
Check the event drop GID:SID number
Then go to object intrusion policy
In search write the number you get from trace
In actione change it from drop to alert
MHM
04-18-2024 01:19 AM
Thanks, but it's not an Intrusion block, as per the trace above it's an AppID issue "AppID: service: (-1)" Where -1 I believe means Unknown Application, as that is how it shows in FMC log. I've now logged a ticket with Cisco, so I can continue being their Beta tester
04-18-2024 01:43 AM
blacklist <- this retrun from snort for non work mail.
Do you add IP in blacklist ?
MHM
04-18-2024 02:07 AM
I would raise this with TAC.
04-18-2024 05:57 AM
No not blacklisted, I have raised with TAC & paused upgrading the rest of my FTD's until this is fixed. Thanks for the replies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide