Forums

Kevin Dika
Kevin Dika
Offline
Resolved
0 votes
Hi everyone,
Has anyone experience the intrusion prevention system block access to retrieving POP email before?

I have a client that has ClearOS installed, and on my daily review, I noticed that the intrusion service was down, which something happens after a update. I restarted the service and everything worked fine.

Soon after that everyone was not able to retrieve any POP email... I turned off the intrusion prevention and everything worked fine...

Any ideas?
Wednesday, April 21 2010, 12:49 PM
Share this post:
Responses (15)
  • Accepted Answer

    Kevin Dika
    Kevin Dika
    Offline
    Thursday, April 29 2010, 03:19 PM - #Permalink
    Resolved
    0 votes
    The only error, and sorry I meant Event ID number was 621 and ran ever 10 minutes so the list was LONG, but nothing else.

    Once I ran you code, it displayed this


    7 331 ACCEPT tcp -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:978
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:1723
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:25
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:1875
    4 176 ACCEPT tcp -- * ppp0 xxx.xxx.xxx.xxx 0.0.0.0/0 tcp spt:80
    0 0 ACCEPT tcp -- * ppp0 xxx.xxx.xxx.xxx 0.0.0.0/0 tcp spt:978
    0 0 ACCEPT tcp -- * ppp0 xxx.xxx.xxx.xxx 0.0.0.0/0 tcp spt:1723
    0 0 ACCEPT tcp -- * ppp0 xxx.xxx.xxx.xxx 0.0.0.0/0 tcp spt:25
    0 0 ACCEPT tcp -- * ppp0 xxx.xxx.xxx.xxx 0.0.0.0/0 tcp spt:1875


    That is from outside looking in.

    does that help? I am just going to rebuild it... silly really. The funny thing is I have SMTP server turned on too, and directing to the SBS 2008 server, and on my home system it lists all the emails received, on my clients machine nothing at all.

    ClearOS is blocking both Server and desktop retrieving. Some users have other email setup to retrieve different POP accounts.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, April 29 2010, 02:19 PM - #Permalink
    Resolved
    0 votes
    Hi Kevin - sorry missed your earlier reply - what's generating the error - the iptables command? where is it output?
    The reply is currently minimized Show
  • Accepted Answer

    Kevin Dika
    Kevin Dika
    Offline
    Thursday, April 29 2010, 02:09 PM - #Permalink
    Resolved
    0 votes
    Yeah, started to block emails again.

    The only workable answer to this -for me- to disable Intrusion Prevention for the time, and I am going to rebuild the gateway.

    It's been installed for nearly a month now working fine, not sure what happen over the last week.
    The reply is currently minimized Show
  • Accepted Answer

    Kevin Dika
    Kevin Dika
    Offline
    Thursday, April 29 2010, 03:04 AM - #Permalink
    Resolved
    0 votes
    HI Tim,
    I ran your code, and it seem to show me all the rules that are allowed... I assume that's what you wanted to hear?

    But when I checked today and it's been running all day, ever 10 minutes I get a 621 error.

    It doesn't seem to be blocking email anymore, but the error comes up ever 10 minutes.

    thinking I might need to rebuild this box for some reason...
    The reply is currently minimized Show
  • Accepted Answer

    Kevin Dika
    Kevin Dika
    Offline
    Tuesday, April 27 2010, 02:42 PM - #Permalink
    Resolved
    0 votes
    Do you know what 621 could indicate?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 27 2010, 02:11 PM - #Permalink
    Resolved
    0 votes
    Possibly! - although as long as the entries are correct in /etc/firewall for EXTIF and LANIF then you shouldn't have any problems
    The reply is currently minimized Show
  • Accepted Answer

    Kevin Dika
    Kevin Dika
    Offline
    Tuesday, April 27 2010, 01:46 PM - #Permalink
    Resolved
    0 votes
    Hmmm, I wonder... you bring up a good point.

    This box that I created, when I installed the second NIC card, it defaulted the eth1 to external (should be internal) and eth0 to internal.

    Do you think that might have something to do with it?

    I did change it over so it works, and ask the question earlier how to make it change eth0 to eth1 and so on...

    I'll run your code tonight and see what it says!

    Thanks Tim.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 27 2010, 12:57 PM - #Permalink
    Resolved
    0 votes
    if you run the following do your IP's appear in the firewall rules?

    iptables -L -n -v | grep 1.2.3.4

    Substitute yours for 1.2.3.4

    You could also check the output of 'snortsam-state' for blocked ip's...although they should appear in the webconfig
    The reply is currently minimized Show
  • Accepted Answer

    Kevin Dika
    Kevin Dika
    Offline
    Tuesday, April 27 2010, 12:42 PM - #Permalink
    Resolved
    0 votes
    Nope, I am thinking I may need to rebuild this box... something doesn't sound right...

    I added the IP's that were giving me the 1390, and email seems to be working, but I am still not getting any block requests... very strange.

    Kevin

    P.S. it is now giving me a 621 ID this morning... any idea on what that is? Snort doesn't list it.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 27 2010, 12:01 PM - #Permalink
    Resolved
    0 votes
    Hmm do you use the protocol filter?
    The reply is currently minimized Show
  • Accepted Answer

    Kevin Dika
    Kevin Dika
    Offline
    Tuesday, April 27 2010, 02:45 AM - #Permalink
    Resolved
    0 votes
    Tim,

    Hmmm out of the blue it started blocking pop mail again... but the strange thing about all this is I check the intrusion report all the time, and nothing is listed. I mean NOTHING. I usually see Ping request blocked, but nothing...

    Kevin
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, April 21 2010, 02:10 PM - #Permalink
    Resolved
    0 votes
    p.s couldn't find any references to the first SID?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, April 21 2010, 02:06 PM - #Permalink
    Resolved
    0 votes
    The 1390 SID is a shellcode rule, and can be falsely triggered by binary downloads (it basically checks for a long string of C's...it's a noisy rule for me here too. You can either remove the 'fwsam: src, 1 day' bit from the end of comment it out with a # if you are getting false positives

    Then restart the intrusion detection service
    service snort restart


    /etc/snort/shellcode.rules:alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:5; fwsam: src, 1 day;)
    The reply is currently minimized Show
  • Accepted Answer

    Kevin Dika
    Kevin Dika
    Offline
    Wednesday, April 21 2010, 01:34 PM - #Permalink
    Resolved
    0 votes
    one 20000257 (or something) and 3 1390 SID rules.

    I'll give that a try tonight and see if it works! Just find it strange that's all. But I am glad they are secure. SO SECURE that they can't even get their emails! hahaha :-)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, April 21 2010, 01:16 PM - #Permalink
    Resolved
    0 votes
    Hi Kevin - what SID rule numbers are causing the POP IP addresses to be blocked?

    Assuming they are part of the pop3 snort rules, uou can disable the POP3 rules from the intrusion detection screen, and then remove all the IP's from the Intrusion Prevention page to get back up and running
    The reply is currently minimized Show
Your Reply