topic Re: SMTP Signature Help in Custom Signatures

SMTP Signature Help

NickAssar — Mon, 07 Aug 2017 20:34:07 GMT

We have been slammed with random Chinese IP addresses attemping to brute-force accounts via SMTP. Amusingly enough, our gateway doesn't even support that feature but the amount of traffic attempting it is consuming all available ports.

I was able to make a signature to catch it when the server responds back with a "502 Unsupported" command but the problem is this alone makes Palo Alto think the attacker is always the server and not the client. So I need to add something to detect the client's traffic first...

The clients are sending an "AUTH LOGIN" command. I can create a rule to detect the AUTH part but the string for "LOGIN" has to be at least 7 characters, which is impossible to meet those requirements. I then tried to create a negate rule but that didn't work and it wouldn't detect the rule at all. So any ideas how to get this to work?

For the time being I just created a DOS resource policy to only allow 5 concurrent source-IP connections. It works but I'd rather have a rule to actually block-IP the attacker for 30 minutes then just let them continue attacking us.

I contacted support and they redirected my case to the threat team. The threat team then sent me here saying they do not offer help on custom signatures and to post any questions in the forums...

Re: SMTP Signature Help

jvalentine — Mon, 07 Aug 2017 21:07:10 GMT

Why are you making a custom signature for this? You can modify the action for the built-in SMTP brute force, assuming it's triggering.

You can make the change in your Vulnerability Protection object, under Exceptions. Add an exception for the SMTP Brute Force and change the action.

Re: SMTP Signature Help

NickAssar — Mon, 07 Aug 2017 21:19:14 GMT

The built-in filter only looks for the 535 response. Our appliance doesn't support the AUTH command so it doesn't respond with a 535, only 502 (Unsupported command).

"If a session has the same source and destination but triggers our child signature, 31709, 10 times in 60 seconds, we call it is a brute force attack.

The child signature, 31709, works on 3 apps, smtp, pop3 and imap.

The trigger condition is found in response code 535 in smtp, "No/bad logon/login failure" pattern in imap and "-ERR" on pop3 PASS command."

Re: SMTP Signature Help

jvalentine — Mon, 07 Aug 2017 21:46:10 GMT

Can you share a packet capture from one of these events?

Re: SMTP Signature Help

NickAssar — Wed, 09 Aug 2017 01:11:05 GMT

No, but I was able to get the signature to work using the (or) | and adding frivolous text.

Now the issue is when adding a combo signature to include the one I just created, I get an error "Threat 41001 is not known -- cannot be added to this signature." Not sure if this is a bug (Panorama 7.1.11) but even trying to recreate the Wordpress brute-force example document from 2016 just to verify if that works -- I still get the same error. *sigh*

Re: SMTP Signature Help

NickAssar — Wed, 09 Aug 2017 01:26:00 GMT

Definitely a bug. I was able to create it on the firewall itself without that error coming up, then exported the rule and imported it back into Panorama just fine.