Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
0
Replies

FTD 7.0.5 | Legitimate emails being blocked after Snort 3 migration

mbarada
Level 1
Level 1

‎06-05-2023 07:00 AM

Greetings everyone,

We have recently upgraded our FMC and 2 managed FTDs from version 6.4.0.10 to version 7.0.5, and then migrated the IPS engine from Snort 2 to Snort 3. (upgrade and Snort 3 migration completed successfully).

After Snort 3 migration, we noticed that too many (or even all) legitimate emails are being blocked (even simple text emails without attachments), so we immediately checked the intrusion events and found that the reason of blocking is something like "SMTP buffer overflow".

Therefore, we checked the intrusion policy and found that the below rules are set to "block" by default, so once we set them to "alert", everything started working properly and we were able to send and receive emails:

mbarada_1-1685973059498.png

The question is, can we safely ignore that and consider it a false positive, and keep the rules as "alert" instead of "block" (knowing that they were set to block by default), or it needs further investigation? And how can we apply the proper hardening? Since this is a critical production environment and we cannot allow any risky traffic.

If you guys need any additional information please let me know so I will further clarify the situation.

Thanks in advance.

1 person had this problem
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card