SMTP Brute Force - different source IPs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SMTP Brute Force - different source IPs

L3 Networker

The scenario I am seeing is SMTP brute force attempts against a username, but each time the source IP address is different, I guess they are using a botnet.  Exchange will tarpit the IP for 30 seconds for the failed authentication, but it doesn't matter as the next attempt comes from a different IP address.

 

Can someone suggest a custom signature, or modification to the existing smtp signature to stop these types of attempts (blacklist the IP).  The accounts eventually lock out as a result.

 

Second scenario is login attempts against usernames that no longer exist... I'd love to maintain a list of ex-employees and then blacklist any IP which tries to authenticate against one of them.

4 REPLIES 4

L6 Presenter

I have not done this for SMTP just for HTTP with web form authentication where I matched based on parameter name and the server login page response content (Successful or Failed) but maybe with the context "smtp-req-protocol-payload" you can match the "AUTH LOGIN" command and after that you will need to check the SMTP response that if it has message like "auth failed" or "user does not exist".

 

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

 

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

 

 

For more about SMTP auth maybe see:

 

https://mailtrap.io/blog/smtp-auth/

 

 

Also after you have matched the correct smtp reqest body with the auth command and the smtp response you will need to make combination signature to block the ip address if it gets the SMTP response for failed auth after maybe 5 attempts in 30 minutes:

 

--------

 

Under
Time Attributespecify the following:

  • Number of Hits—Specify the threshold that will trigger any policy-based action as a number of hits (1-1000) in a specified number of seconds (1-3600).
  • Aggregation Criteria—Specify whether the hits are tracked by source IP address, destination IP address, or a combination of source and destination IP addresses.
  • To move a condition within a group, select the condition and click
    Move Upor
    Move Down.
     
     
     
    -------
     
     
     
     
    For Aggregation Criteria select source IP and take a look at:

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

 

 

Also better the signature be with scope session as we want to match smtp request command and smtp response payload. Maybe see the link below to get the idea:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSOCA0

 

 

L6 Presenter

If you managed to get the needed answers, please flag the question as answered.

L3 Networker

Sorry, I'm slow... I haven't had time to investigate your proposed solution.

I may soon create a POST with an example for Brute Force match on HTTP web page web form that can help you out with the SMTP stuff as I also became interested in the results 🙂

  • 3279 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!