12-20-2019 09:16 AM - edited 12-20-2019 09:19 AM
I received a complaint from a user who cannot send from his corporate email account to his Earthlink mail account. After tracing all the steps where a connection could be blocked, I isolated it to the firepower. Apparently Snort believes the server as a bad reputation.
I checked a few IPs on Talos and they are (or were) definitely blacklisted. EG:
https://talosintelligence.com/reputation_center/lookup?search=207.69.189.229
Interestingly enough, if I check by the corresponding machine name, it comes back as trusted.
https://talosintelligence.com/reputation_center/lookup?search=mx6.earthlink.net
This is a new one on me. Is this a Cisco or Earthlink problem and is there a way to whitelist just the relevant MX IPs?
Sample Trace
-- packet-tracer input DMZ-INT tcp 198.204.112.74 54321 207.69.189.229 25)
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 198.204.115.1 using egress ifc OUTSIDE-INT
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp ifc DMZ-INT object-group mta-dmz any4 eq smtp rule-id 268435642
access-list CSM_FW_ACL_ remark rule-id 268435642: ACCESS POLICY: RR-CO-AC - Default
access-list CSM_FW_ACL_ remark rule-id 268435642: L7 RULE: acl_dmz1#64
object-group network mta-dmz
description: MTAs in the DMZ
network-object 198.204.112.74 255.255.255.255
network-object 172.21.6.10 255.255.255.255
network-object 198.204.112.91 255.255.255.255
network-object 172.21.6.72 255.255.255.255
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-198.204.112.0
nat (DMZ-INT,OUTSIDE-INT) static obj-198.204.112.0
Additional Information:
Static translate 198.204.112.74/54321 to 198.204.112.74/54321
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 619176969, packet dispatched to next module
Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 12
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 580167530
Session: new snort session
Reputation: packet blacklisted, drop
Snort: processed decoder alerts or actions queue, drop
Snort detect_sdrop: gid 136, sid 1, drop
Snort id 5, NAP id 2, IPS id 0, Verdict BLACKLIST, Blocked by SI/Reputation
Snort Verdict: (black-list) black list this flow
Result:
input-interface: DMZ-INT
input-status: up
input-line-status: up
output-interface: OUTSIDE-INT
output-status: up
output-line-status: up
Action: drop
Drop-reason: (reputation) Blocked or blacklisted by the reputation preprocessor
12-24-2019 12:01 PM
There a few things to mention here:
I hope this helps!
Thank you for rating helpful posts!
12-26-2019 02:09 PM
I checked Umbrella and it verified the MX IPs have been associated with malware recently so it looks like the blacklisting was justified. However, it seems to be lifted -- at least for the time being -- so the user can send emails normally.
The bit about Roswell High School is a little weird. I wonder if it is just a joke.
Anyway, thanks for the help.
12-26-2019 08:34 PM
I was simply relying on the info from ARIN which shows Roswell High School as the owner of the IP with registration dating back to 1999. I suppose the info could be wrong but I have no better methods/tools that are free to check this :)
https://rdap.arin.net/registry/ip/207.69.189.224
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide