• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Sudden Flurry of 1:2260002 Broke Mail Server

Scheduled Pinned Locked Moved IDS/IPS
4 Posts 4 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    SeaMonkey
    last edited by Oct 15, 2019, 2:14 PM

    Around 2019-09-30, my mail server suddenly stopped being able to send/receive mails to/from external domains. I could see in the mail log that TLS connections were being attempted, but would time out before any data was transmitted. I eventually figured out that, all of a sudden, Suricata was flagging all port 25 traffic from my mail server with '1:2260002 SURICATA Applayer Detect protocol only one direction' and subsequently adding whatever external domain it was attempting to connect to to the block list. Disabling this rule allowed the mail server to continue to operate normally, but I'm wondering why this started happening all of a sudden and if it's cause for concern.

    1 Reply Last reply Reply Quote 0
    • K
      kiokoman LAYER 8
      last edited by kiokoman Oct 15, 2019, 2:52 PM Oct 15, 2019, 2:52 PM

      @SeaMonkey said in Sudden Flurry of 1:2260002 Broke Mail Server:

      Applayer Detect protocol only one direction

      It means that it is able to detect the protocol for only one direction
      of a flow

      https://suricata.readthedocs.io/en/suricata-4.0.5/rules/app-layer.html

      4.17.2.1.3. applayer_detect_protocol_only_one_direction

      Protocol detection only succeeded in one direction. For FTP and SMTP this is expected

      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
      Please do not use chat/PM to ask for help
      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

      1 Reply Last reply Reply Quote 0
      • O
        occamsrazor
        last edited by Oct 15, 2019, 3:24 PM

        I also had a bunch of these the last few days. One of the blocks cut my Whatsapp access. I guess relatively safe to suppress these??

        pfSense CE on Qotom Q355G4 8GB RAM/60GB SSD
        Ubiquiti Unifi wired and wireless network, APC UPSs
        Mac OSX and IOS devices, QNAP NAS

        B 1 Reply Last reply Oct 15, 2019, 4:21 PM Reply Quote 0
        • B
          bmeeks @occamsrazor
          last edited by Oct 15, 2019, 4:21 PM

          @occamsrazor said in Sudden Flurry of 1:2260002 Broke Mail Server:

          I also had a bunch of these the last few days. One of the blocks cut my Whatsapp access. I guess relatively safe to suppress these??

          Yes, I would suppress or perhaps temporarily disable the problematic rule. If it suddenly started and otherwise worked fine in the past, I would suspect a recent rules update from the rule vendor (either Snort VRT or Emerging Threats guys). You could check their web sites for any info on the particular SID or to see if others are reporting problems with a recent update.

          Would not be the first time a rule was updated by the vendor and wound up false triggering.

          1 Reply Last reply Reply Quote 2
          3 out of 4
          • First post
            3/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received