Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
0
Helpful
1
Replies

SMTP IPS block problem

dstjames123
Level 1
Level 1

‎06-08-2006 10:06 AM - edited ‎03-10-2019 03:03 AM

I setup ID 3110 (suspicious mail attachment)to deny attacker inline thinking that nobody needs to send those type of attachments and it would cut down on virus's. Worked fine until today when someone internal tried to send one and the IPS blocked my internal smtp server from going to the internet. Is there a way of setting up execptions in the IPS so that my internal IP range is allways allowed access? Or is there a better way of doing this?

Thanks for the help.

Labels:
0 Helpful
1 Reply 1

mhellman
Level 7
Level 7

‎06-08-2006 10:46 AM

We've seen false positives with that signature, but YMMV...they've modified it recently so maybe it's fixed.

anyway, to answer your question...there are two ways to handle this.

1) Use an event filter to subtract the action from the alarm. The mail server source ip would part of the criteria in the filter. You might want to consider creating an event variable for your entire DMZ and creating an event filter that subtracts any of the "deny" actions if DMZ=source. See Event Action Rules->Even Action Filters in the IDM.

2) add the source ip or network to the "never block addresses". See Blocking->Blocking Properties in the IDM. I don't believe this works for actions that are "deny"...you'll need an event filter for those.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card