SMTP IPS block problem

dstjames123 — Sun, 10 Mar 2019 10:03:09 GMT

I setup ID 3110 (suspicious mail attachment)to deny attacker inline thinking that nobody needs to send those type of attachments and it would cut down on virus's. Worked fine until today when someone internal tried to send one and the IPS blocked my internal smtp server from going to the internet. Is there a way of setting up execptions in the IPS so that my internal IP range is allways allowed access? Or is there a better way of doing this?

Thanks for the help.

Re: SMTP IPS block problem

mhellman — Thu, 08 Jun 2006 17:46:13 GMT

We've seen false positives with that signature, but YMMV...they've modified it recently so maybe it's fixed.

anyway, to answer your question...there are two ways to handle this.

1) Use an event filter to subtract the action from the alarm. The mail server source ip would part of the criteria in the filter. You might want to consider creating an event variable for your entire DMZ and creating an event filter that subtracts any of the "deny" actions if DMZ=source. See Event Action Rules->Even Action Filters in the IDM.

2) add the source ip or network to the "never block addresses". See Blocking->Blocking Properties in the IDM. I don't believe this works for actions that are "deny"...you'll need an event filter for those.

topic SMTP IPS block problem in Network Security

SMTP IPS block problem

Re: SMTP IPS block problem