FGT60D running v5.2.11.
I'm looking to use application control to restrict outbound SMTP (internal -> wan) to IceWarp (a.k.a. Merak) mail server only, however I'm struggling to understand how to accurately identify IceWarp within a custom signature.
Can anyone advise me whether:
1. This is actually possible
2. The best way to accurately and consistently identify IceWarp (as opposed to a powershell script sending SMTP traffic for example).
Solved! Go to Solution.
Here's an example of an SMTP session without encryption (or if encryption is enabled, after it is decrypted).
The server will send a packet banner in the beginning. If information about the mail server is not removed, that can be used as a pattern to identify in a signature.
If the mail server decides to remove the packet banner (a common move to avoid providing unnecessary detail about the server to anyone), the Fortigate will go further down and identify the session after the "HELO" or "EHLO" request. In this case, you can use the email address @xxxx.com to identify the mail server that you are using, e.g. icewarp.com.
E.g custom app control signature:
F-SBID( --name "SMTP_Dot.Net"; --protocol tcp; --app_cat 21; --weight 20; --service SMTP; --flow from_server; --pattern "dotnetzone.com"; --context header; --no_case; )
Hope this helps.
Hello CodeMonkey,
Can you do a packet capture of a session? If it is SMTP, we should be able to see the domain name. If it is SMTPS, you would have to enable deep-inspection to decrypt the session. If you can get me a packet capture, I can write you a custom signature. Please close the session first before you start the packet capture. I would need the full session to analyze it. Thanks!
hmtay wrote:Thanks for responding and the offer - for the moment I'd prefer to understand how to do it myself if you're able to outline that for me? I've been able to do various packet captures but don't quite understand how to use that raw data to create a signature.Hello CodeMonkey,
Can you do a packet capture of a session? If it is SMTP, we should be able to see the domain name. If it is SMTPS, you would have to enable deep-inspection to decrypt the session. If you can get me a packet capture, I can write you a custom signature. Please close the session first before you start the packet capture. I would need the full session to analyze it. Thanks!
Also although we have SMTPS in the works, we're unable to use deep-inspection at present due to a bug that we're progressing with Fortinet.
Here's an example of an SMTP session without encryption (or if encryption is enabled, after it is decrypted).
The server will send a packet banner in the beginning. If information about the mail server is not removed, that can be used as a pattern to identify in a signature.
If the mail server decides to remove the packet banner (a common move to avoid providing unnecessary detail about the server to anyone), the Fortigate will go further down and identify the session after the "HELO" or "EHLO" request. In this case, you can use the email address @xxxx.com to identify the mail server that you are using, e.g. icewarp.com.
E.g custom app control signature:
F-SBID( --name "SMTP_Dot.Net"; --protocol tcp; --app_cat 21; --weight 20; --service SMTP; --flow from_server; --pattern "dotnetzone.com"; --context header; --no_case; )
Hope this helps.
That's great, thanks hmtay - very helpful!.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.