3
log ids required
Idea shared by Sabatino - 11/15/2023 at 11:23 AM
Proposed
log ids required

you need to have a log ids.
it has become really impossible to search for the reason for an ids on an ip

Today an IP of one of my clients who has many mailboxes ended up in ids.
Hours searching for the reason in the logs.
I can't even figure out whether from smtp imap or something else

I also tried putting the IP in question on the brute force white list (it was blocked by DOS) and it still ended up there.

Here too I don't understand why
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy

3 Replies

Reply to Thread
1
Hi,

We have this problem very frequently and we already discute in a previews post https://portal.smartertools.com/community/a91089/where-are-the-ids-logs.aspx

We have a client with more that 100 account behind the same IP, when they have a computer with a wrong configuration its a nightmare.


2
this has gotten worse since the ids rules were unified. In fact, now it is difficult to even understand on which protocol IDS was generated
Even when I go to look at the administrative log, I find lines like this
10:08:57.388 DenialOfService [DenialOfService xx.xx.xx.xx] Added IP to IDS block list. Duration: 1800 seconds, Description: Default DoS rule

but looking back at the IP xx.xx.xx.xx I can't find the reason for the block



it even sometimes appears in the administrative log
[2023.11.17] 11:17:35.751 DenialOfService [DenialOfService xx.yy.zz.ww] Added IP to IDS block list. Duration: 1799.9843804 seconds, Description: Default DoS rule

and it is the first line with ip xx.yy.zz.ww in the log
I expected that in the previous lines there were lines with auth failed for example.

Certainly the description should be detailed

for example

Description: Default DoS rule - SMTP protocol excess connections on port 25
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy

0
That's the point:
but looking back at the IP xx.xx.xx.xx I can't find the reason for the block

or getting the account used para o "dos" attack. Because most of the times is one user that put a large account with a refresh (send/receive) of 1 minute.



Reply to Thread