Sudden Flurry of 1:2260002 Broke Mail Server



  • Around 2019-09-30, my mail server suddenly stopped being able to send/receive mails to/from external domains. I could see in the mail log that TLS connections were being attempted, but would time out before any data was transmitted. I eventually figured out that, all of a sudden, Suricata was flagging all port 25 traffic from my mail server with '1:2260002 SURICATA Applayer Detect protocol only one direction' and subsequently adding whatever external domain it was attempting to connect to to the block list. Disabling this rule allowed the mail server to continue to operate normally, but I'm wondering why this started happening all of a sudden and if it's cause for concern.


  • LAYER 8

    @SeaMonkey said in Sudden Flurry of 1:2260002 Broke Mail Server:

    Applayer Detect protocol only one direction

    It means that it is able to detect the protocol for only one direction
    of a flow

    https://suricata.readthedocs.io/en/suricata-4.0.5/rules/app-layer.html

    4.17.2.1.3. applayer_detect_protocol_only_one_direction

    Protocol detection only succeeded in one direction. For FTP and SMTP this is expected



  • I also had a bunch of these the last few days. One of the blocks cut my Whatsapp access. I guess relatively safe to suppress these??



  • @occamsrazor said in Sudden Flurry of 1:2260002 Broke Mail Server:

    I also had a bunch of these the last few days. One of the blocks cut my Whatsapp access. I guess relatively safe to suppress these??

    Yes, I would suppress or perhaps temporarily disable the problematic rule. If it suddenly started and otherwise worked fine in the past, I would suspect a recent rules update from the rule vendor (either Snort VRT or Emerging Threats guys). You could check their web sites for any info on the particular SID or to see if others are reporting problems with a recent update.

    Would not be the first time a rule was updated by the vendor and wound up false triggering.


Log in to reply