Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sudden Flurry of 1:2260002 Broke Mail Server

    IDS/IPS
    4
    4
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SeaMonkey
      last edited by

      Around 2019-09-30, my mail server suddenly stopped being able to send/receive mails to/from external domains. I could see in the mail log that TLS connections were being attempted, but would time out before any data was transmitted. I eventually figured out that, all of a sudden, Suricata was flagging all port 25 traffic from my mail server with '1:2260002 SURICATA Applayer Detect protocol only one direction' and subsequently adding whatever external domain it was attempting to connect to to the block list. Disabling this rule allowed the mail server to continue to operate normally, but I'm wondering why this started happening all of a sudden and if it's cause for concern.

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        @SeaMonkey said in Sudden Flurry of 1:2260002 Broke Mail Server:

        Applayer Detect protocol only one direction

        It means that it is able to detect the protocol for only one direction
        of a flow

        https://suricata.readthedocs.io/en/suricata-4.0.5/rules/app-layer.html

        4.17.2.1.3. applayer_detect_protocol_only_one_direction

        Protocol detection only succeeded in one direction. For FTP and SMTP this is expected

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • occamsrazorO
          occamsrazor
          last edited by

          I also had a bunch of these the last few days. One of the blocks cut my Whatsapp access. I guess relatively safe to suppress these??

          pfSense CE on Qotom Q355G4 8GB RAM/60GB SSD
          Ubiquiti Unifi wired and wireless network, APC UPSs
          Mac OSX and IOS devices, QNAP NAS

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @occamsrazor
            last edited by

            @occamsrazor said in Sudden Flurry of 1:2260002 Broke Mail Server:

            I also had a bunch of these the last few days. One of the blocks cut my Whatsapp access. I guess relatively safe to suppress these??

            Yes, I would suppress or perhaps temporarily disable the problematic rule. If it suddenly started and otherwise worked fine in the past, I would suspect a recent rules update from the rule vendor (either Snort VRT or Emerging Threats guys). You could check their web sites for any info on the particular SID or to see if others are reporting problems with a recent update.

            Would not be the first time a rule was updated by the vendor and wound up false triggering.

            1 Reply Last reply Reply Quote 2
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.