topic Re: SMTP Brute Force - different source IPs in Custom Signatures

SMTP Brute Force - different source IPs

cenders — Wed, 10 Aug 2022 13:56:14 GMT

The scenario I am seeing is SMTP brute force attempts against a username, but each time the source IP address is different, I guess they are using a botnet. Exchange will tarpit the IP for 30 seconds for the failed authentication, but it doesn't matter as the next attempt comes from a different IP address.

Can someone suggest a custom signature, or modification to the existing smtp signature to stop these types of attempts (blacklist the IP). The accounts eventually lock out as a result.

Second scenario is login attempts against usernames that no longer exist... I'd love to maintain a list of ex-employees and then blacklist any IP which tries to authenticate against one of them.

Re: SMTP Brute Force - different source IPs

nikoolayy1 — Wed, 24 Aug 2022 12:28:00 GMT

I have not done this for SMTP just for HTTP with web form authentication where I matched based on parameter name and the server login page response content (Successful or Failed) but maybe with the context "smtp-req-protocol-payload" you can match the "AUTH LOGIN" command and after that you will need to check the SMTP response that if it has message like "auth failed" or "user does not exist".

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/smtp-req-protocol-payload

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/smtp-rsp-content

For more about SMTP auth maybe see:

https://mailtrap.io/blog/smtp-auth/

Also after you have matched the correct smtp reqest body with the auth command and the smtp response you will need to make combination signature to block the ip address if it gets the SMTP response for failed auth after maybe 5 attempts in 30 minutes:

--------

Under

Time Attributespecify the following:

Number of Hits—Specify the threshold that will trigger any policy-based action as a number of hits (1-1000) in a specified number of seconds (1-3600).
Aggregation Criteria—Specify whether the hits are tracked by source IP address, destination IP address, or a combination of source and destination IP addresses.
To move a condition within a group, select the condition and click
Move Upor
Move Down.

-------

For Aggregation Criteria select source IP and take a look at:

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/about-custom-threat-signatures/combination-signatures-for-brute-force-attacks

Also better the signature be with scope session as we want to match smtp request command and smtp response payload. Maybe see the link below to get the idea:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSOCA0

Re: SMTP Brute Force - different source IPs

nikoolayy1 — Thu, 13 Oct 2022 21:19:53 GMT

If you managed to get the needed answers, please flag the question as answered.

Re: SMTP Brute Force - different source IPs

cenders — Thu, 13 Oct 2022 22:47:05 GMT

Sorry, I'm slow... I haven't had time to investigate your proposed solution.

Re: SMTP Brute Force - different source IPs

nikoolayy1 — Wed, 02 Nov 2022 18:36:44 GMT

I may soon create a POST with an example for Brute Force match on HTTP web page web form that can help you out with the SMTP stuff as I also became interested in the results 🙂