Snort3 not recognising SMTP/S but Snort2 did/does !?

ida71 · ‎04-15-2024

I'm in the process of updating all our FTD's from Snort2 to Snort3 & almost everything appears to work, except SMTP/S email.

Under Snort2 it shows in event logs as SMTP/S Client traffic type correctly, but when Snort3 is enabled, it does not recognise some of the mail as SMTP/S & thus blocks it. I can't seem to find anything on the internet that implies there is any known issue, so I'm a bit perplexed as to why this should be.

Anyone come across anything similar or know what the issue could be ?

Thanks

MHM Cisco World · ‎04-15-2024

System support trace

Write the IP or mail server and port

Abd check the action

Share here if yoh can

MHM

ida71 · ‎04-16-2024

Thanks I'll give that a whirl & report back.

ida71 · ‎04-16-2024

So I did some captures & same as the FMC log, the AppID is Unknown.

IP's have been changed to dummy ones to protect the innocent, so don't bother looking them up.

This was a Telnet on port 25 to a target mail server that is giving problems & failed as expected when AppID showed as Telnet.

172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Packet 1512686839: TCP ***A****, 04/16-13:45:24.065258, seq 466285998, ack 1781134703, dsize 0
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 AppID: service: (0), client: (0), payload: (0), misc: (0)
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Firewall: pending rule-matching, 'MailSRVs-2-Ext-Mail', nothing has changed
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Policies: Network 0, Inspection 0, Detection 6
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Verdict: pass

172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Packet 1512686840: TCP ***AP***, 04/16-13:45:24.065258, seq 466285998, ack 1781134703, dsize 21
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 AppID: service: Telnet(861), client: (0), payload: (0), misc: (0)
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Firewall: starting rule matching, zone 6 -> 4, geo 0(0) -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Firewall: block rule, 'BLOCK-Rule', force_block
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Stream: pending block, drop
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Policies: Network 0, Inspection 0, Detection 6
172.16.101.15 49975 -> 11.207.130.46 25 6 AS=0 ID=2 GR=1-1 Verdict: blacklist

This is a new email sent from the mail server. Same server sends loads of SMTP/SMTPS messages, which are classified correctly by AppID as SMTP/S but this is one that fails;-

11.207.130.46 25 -> 172.16.101.15 50822 6 AS=0 ID=10 GR=1-1 Packet 1371903406: TCP ***AP***, 04/16-13:57:49.961025, seq 887063743, ack 3108563887, dsize 46
11.207.130.46 25 -> 172.16.101.15 50822 6 AS=0 ID=10 GR=1-1 AppID: service: (0), client: (0), payload: (0), misc: (0)
11.207.130.46 25 -> 172.16.101.15 50822 6 AS=0 ID=10 GR=1-1 Firewall: pending rule-matching, 'MailSRVs-2-Ext-Mail', nothing has changed
11.207.130.46 25 -> 172.16.101.15 50822 6 AS=0 ID=10 GR=1-1 Policies: Network 0, Inspection 0, Detection 6
11.207.130.46 25 -> 172.16.101.15 50822 6 AS=0 ID=10 GR=1-1 Verdict: pass

172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Packet 1371903407: TCP ***A****, 04/16-13:57:49.961025, seq 3108563887, ack 887063789, dsize 1380
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 AppID: service: (-1), client: (0), payload: (0), misc: (0)
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Firewall: starting rule matching, zone 6 -> 4, geo 0(0) -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Firewall: block rule, 'BLOCK-Rule', force_block
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Stream: pending block, drop
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Policies: Network 0, Inspection 0, Detection 6
172.16.101.15 50822 -> 11.207.130.46 25 6 AS=0 ID=10 GR=1-1 Verdict: blacklist

Any ideas ?

I know its not our mail server, so could it be the remote mail server ?

MHM Cisco World · ‎04-16-2024

AppID: service: Telnet(861)

The snort detect it as telnet not as email telnet extended.

This point to check

MHM

ida71 · ‎04-16-2024

No Snort detected my manual Putty attempt to prove the trace was working as Telnet, because it was. But some actual email is not recognised, but was under Snort2 !? I have had a look back at our Syslog & can see the same SRC->DST being allowed right up until Snort3 was enabled !? Looking at FMC logs shows same DST IP from another location still running Snort2 as SMTPS traffic. Rules & Policies are identical. Only difference one locations FTD running Snort3 other still waiting for update & running Snort2.

Weird but true.

MHM Cisco World · ‎04-18-2024

You need to use

System support trace

Check the event drop GID:SID number

Then go to object intrusion policy

In search write the number you get from trace

In actione change it from drop to alert

MHM

ida71 · ‎04-18-2024

Thanks, but it's not an Intrusion block, as per the trace above it's an AppID issue "AppID: service: (-1)" Where -1 I believe means Unknown Application, as that is how it shows in FMC log. I've now logged a ticket with Cisco, so I can continue being their Beta tester

MHM Cisco World · ‎04-18-2024

blacklist <- this retrun from snort for non work mail.

Do you add IP in blacklist ?

MHM

Aref Alsouqi · ‎04-18-2024

I would raise this with TAC.

ida71 · ‎04-18-2024

No not blacklisted, I have raised with TAC & paused upgrading the rest of my FTD's until this is fixed. Thanks for the replies.