Hi everyone,
Has anyone experience the intrusion prevention system block access to retrieving POP email before?
I have a client that has ClearOS installed, and on my daily review, I noticed that the intrusion service was down, which something happens after a update. I restarted the service and everything worked fine.
Soon after that everyone was not able to retrieve any POP email... I turned off the intrusion prevention and everything worked fine...
Any ideas?
Has anyone experience the intrusion prevention system block access to retrieving POP email before?
I have a client that has ClearOS installed, and on my daily review, I noticed that the intrusion service was down, which something happens after a update. I restarted the service and everything worked fine.
Soon after that everyone was not able to retrieve any POP email... I turned off the intrusion prevention and everything worked fine...
Any ideas?
Share this post:
Responses (15)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
The 1390 SID is a shellcode rule, and can be falsely triggered by binary downloads (it basically checks for a long string of C's...it's a noisy rule for me here too. You can either remove the 'fwsam: src, 1 day' bit from the end of comment it out with a # if you are getting false positives
Then restart the intrusion detection service
service snort restart
/etc/snort/shellcode.rules:alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:5; fwsam: src, 1 day -
Accepted Answer
-
Accepted Answer
Nope, I am thinking I may need to rebuild this box... something doesn't sound right...
I added the IP's that were giving me the 1390, and email seems to be working, but I am still not getting any block requests... very strange.
Kevin
P.S. it is now giving me a 621 ID this morning... any idea on what that is? Snort doesn't list it. -
Accepted Answer
-
Accepted Answer
Hmmm, I wonder... you bring up a good point.
This box that I created, when I installed the second NIC card, it defaulted the eth1 to external (should be internal) and eth0 to internal.
Do you think that might have something to do with it?
I did change it over so it works, and ask the question earlier how to make it change eth0 to eth1 and so on...
I'll run your code tonight and see what it says!
Thanks Tim. -
Accepted Answer
-
Accepted Answer
HI Tim,
I ran your code, and it seem to show me all the rules that are allowed... I assume that's what you wanted to hear?
But when I checked today and it's been running all day, ever 10 minutes I get a 621 error.
It doesn't seem to be blocking email anymore, but the error comes up ever 10 minutes.
thinking I might need to rebuild this box for some reason... -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
The only error, and sorry I meant Event ID number was 621 and ran ever 10 minutes so the list was LONG, but nothing else.
Once I ran you code, it displayed this
7 331 ACCEPT tcp -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:978
0 0 ACCEPT tcp -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx tcp dpt:1875
4 176 ACCEPT tcp -- * ppp0 xxx.xxx.xxx.xxx 0.0.0.0/0 tcp spt:80
0 0 ACCEPT tcp -- * ppp0 xxx.xxx.xxx.xxx 0.0.0.0/0 tcp spt:978
0 0 ACCEPT tcp -- * ppp0 xxx.xxx.xxx.xxx 0.0.0.0/0 tcp spt:1723
0 0 ACCEPT tcp -- * ppp0 xxx.xxx.xxx.xxx 0.0.0.0/0 tcp spt:25
0 0 ACCEPT tcp -- * ppp0 xxx.xxx.xxx.xxx 0.0.0.0/0 tcp spt:1875
That is from outside looking in.
does that help? I am just going to rebuild it... silly really. The funny thing is I have SMTP server turned on too, and directing to the SBS 2008 server, and on my home system it lists all the emails received, on my clients machine nothing at all.
ClearOS is blocking both Server and desktop retrieving. Some users have other email setup to retrieve different POP accounts.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »