topic Re: Non-SMTP Session Start Question in Network Security

Non-SMTP Session Start Question

rrutledge — Sun, 10 Mar 2019 10:28:42 GMT

I'm getting hundreds of triggers on signature 5748 Non-SMTP Session Start. When I put a block host on this signature I stop getting e-mail. Should this be considered normal traffic.

Re: Non-SMTP Session Start Question

edwakim — Mon, 19 Feb 2007 20:39:31 GMT

Hi,

Regarding signature 5748 firing SMTP session initiation with something other than HELO or EHLO. See below for MySDN link on this

signature

http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=5748&signatureSubId=0

I'm assuming subsig 0. Is this true?

This is likely a type of reconnaissance attack to see if you are running

an smtp service at this IP address and what type and version number of

smtp software you're running (i.e., Sendmail, Postfix, Microsoft

Exchange, etc.) as they'll get the smtp banner after their initial

connect.

When you see the signature alert, who's the attacker?

You can turn on 'produce verbose alert' to see more information.

Thank you.

Edward

Re: Non-SMTP Session Start Question

rrutledge — Mon, 19 Feb 2007 22:01:12 GMT

Hi,

Today the signature was triggered 2698 times, from 349 hosts (90% public addesses). I am also seeing this triggered by local addresses, but I suppose the public one's are what I should be concerned with. As I stated before I did try and block hosts on this signature, but I am considering adding and exception for local address, and only block public.

Re: Non-SMTP Session Start Question

wsulym — Tue, 20 Feb 2007 14:19:45 GMT

Can you add "produce verbose alert" as an action to 5748-0, then from the cli capture "show event alert | in id=5748" and send that to me offline at wsulym@cisco.com. I might have stumbled across something looking at some other traffic and would like to confirm.

Thanks.

Re: Non-SMTP Session Start Question

bitterman — Tue, 20 Feb 2007 14:25:17 GMT

PIX smtp fixup causes this. If you have a pix, disable the sig or disable fixup.

Re: Non-SMTP Session Start Question

wsulym — Tue, 20 Feb 2007 14:36:11 GMT

It shouldn't. The signature looks for either HELO EHLO or XXXX at the beginning of the stream - if it's not one of those, the signature will fire. The pix uses XXXX in smtp fixup.

Re: Non-SMTP Session Start Question

rrutledge — Tue, 20 Feb 2007 14:38:41 GMT

I have the fix-up for smtp disabled

Re: Non-SMTP Session Start Question

wsulym — Wed, 21 Feb 2007 15:06:12 GMT

I took this offline with rrutledge. Just so that there's some closure to this thread, in the end, what happened was that 'produce-alert' was set on the subsignatures, and that was what was seen flooding the event store (specifically subsigs -1 & -2). The subsigs will fire on normal traffic and should not have produce alert set.

Re: Non-SMTP Session Start Question

hannatest — Thu, 17 Jan 2008 21:12:32 GMT

Not in my case. I have the Sig 5748/3 set to "None", but Sig 5748/0 still fires on the "XXXX" command.

Re: Non-SMTP Session Start Question

hannatest — Fri, 18 Jan 2008 16:12:34 GMT

The IPS version is 6.0(3)E1.The triggered packets were captured.They are the 0x58 0x58 0x58 0x58.

Any known bug on this signature?Thanks.

Re: Non-SMTP Session Start Question

mai2mai2m — Mon, 11 Feb 2008 15:50:32 GMT

Still firing on xxxx in our case. We are running IPS-4260 with the signature S291.0 of 2007-06-18. The smtp payload of the triggering packet starts with xxxx.

Thanks,

Re: Non-SMTP Session Start Question

scothrel — Mon, 11 Feb 2008 18:30:02 GMT

Are they lower case 'x' or uppercase 'X' ? The signature only accepts uppercase as a valid start.

Re: Non-SMTP Session Start Question

hannatest — Mon, 11 Feb 2008 18:38:21 GMT

In my case,they are the uppercase 'X's.The start bytes are:0x58 0x58 0x58 0x58.

Re: Non-SMTP Session Start Question

bnidacoc — Mon, 09 Mar 2009 21:06:32 GMT

I have this sig firing very frequently. This sig constitutes about 80-90% of all of my alerts. Often the alert is firing on data as "RSET.."

The source IPs are scattered, some have even had domain names associated with them, like mail.xxxxx.yyyy.com.

Over the course of 72 hours I have 2331 Sig 5748/0 events.

I am sure that one grouped source attack IP which consists of 27 events (including summaries) in 10 minutes is most likely a malicious activity.

However, about 95% of unique attacker IPs consist of only 1-3 attempts (alerts) with rarely a summary among them.

I was on the latest sig a few weeks ago.

We have so much email activity; it would be difficult to analyze packet captures for RSETs coming in immediately after the TCP handshake.

Is this sig really correct?