Showing results for 
Search instead for 
Did you mean: 

FTD 7.0.5 | Legitimate emails being blocked after Snort 3 migration


Greetings everyone,

We have recently upgraded our FMC and 2 managed FTDs from version to version 7.0.5, and then migrated the IPS engine from Snort 2 to Snort 3. (upgrade and Snort 3 migration completed successfully).

After Snort 3 migration, we noticed that too many (or even all) legitimate emails are being blocked (even simple text emails without attachments), so we immediately checked the intrusion events and found that the reason of blocking is something like "SMTP buffer overflow".

Therefore, we checked the intrusion policy and found that the below rules are set to "block" by default, so once we set them to "alert", everything started working properly and we were able to send and receive emails:


The question is, can we safely ignore that and consider it a false positive, and keep the rules as "alert" instead of "block" (knowing that they were set to block by default), or it needs further investigation? And how can we apply the proper hardening? Since this is a critical production environment and we cannot allow any risky traffic.

If you guys need any additional information please let me know so I will further clarify the situation.

Thanks in advance.

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers