Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
187
Views
0
Helpful
0
Replies

Firepower now blocks legitimate SMTP Traffic

NGJ
Level 1
Level 1

‎03-24-2025 09:35 AM

Hi, 2 issues have arose the past week where the firepower has been blocking legitimate SMTP traffic.

ISSUE 1
I upgraded from SNORT 2 to SNORT 3.  Most of our Company emails were then blocked (Incoming & outgoing).  The Intrusion logs showed this traffic was blocked due to:

SMTP_RESPONSE_OVERFLOW (124:3:2) and SMTP_COMMAND_OVERFLOW (124:1:2). 

To workaround this I set these rules to Alert not block.

Isnt this now a security concern.  Traffic that would have been correctly blocked by the IPS is now allowed also.  Is there any other way around this.  What could cause these false positives in SNORT 3.

ISSUE 2
A few days later I noticed some emails coming in were blocked again.  Not by the IPS, but APP ID. 

Our SMTP rule is application based and allowed traffic in via application SMTP & SMTPS. Traffic logs showed the Application Protocol as 'SMTP,' and Client as 'SMTP Client'. 
However, now a lot of legitimate traffic is blocked and the traffic logs show Application Protocol as 'Unknown'.  

To temporarily fix this I have had to change the rule to allow port 25, as opposed to using app ID.  

The only thing that has changed was Cisco VDB 405 being applied to the device over the weekend.  I cant see anything on those release notes for SMTP changes.  Any reason why this would suddenly occur.  I don't want to leave the rule filtering on port 25, but rather use app id, again for Security concerns.

Any advice would be appreciated.

Thanks

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents