Hi,
I just enabled the IPS and have been checking the IPS log viewer.
One repeated log entry I am getting is:
Date: 05/21 09:43:00 Name: SURICATA Applayer Detect protocol only one direction
Priority: 3 Type: Generic Protocol Command Decode
IP info: [IP address of my computer]:54584 → [IP address of my email server]:587
References: none found SID: 2260002
I am wondering if the IPS is blocking my access to my email server. I dont know how to interpret this log entry since as far as I can see, there is no
mention of any blocking.
I guess my questions are:
-
Does this log entry mean the IPS is blocking my access to my email server?
-
Am I wrong in thinking that an IPS blocks anything? Maybe it just reports?
-
Please let me know anything else that is relevant. I dont know what I dont know and so I dont know what else to ask about.
Thanks ahead of time…
It depends on if you have ticked the box marked “Monitor traffic only” on the IPS WUI page.
If this box is checked then the IPS will let all the traffic through but give you a log with what it found. You can then review this to make sure that you don’t have things being triggered that are incorrect for your particular setup.
If the box is not checked then all logs you see will be for things that IPS detected and dropped/blocked.
You can’t tell from the log entry on its own if things are being dropped, that is dependent on the checkbox mentioned above.
EDIT:-
Searching on the error message I found this in the suricata docs.
applayer_detect_protocol_only_one_direction
Protocol detection only succeeded in one direction. For FTP and SMTP this is expected.
So if you want to get rid of those messages for your smtp communication with your mail server then you need to figure out which rule(s) in the rulesets you have enabled is giving this message and disable the specific rule(s)
@bonnietwin,
Thank you for replying to my Topic.
It depends on if you have ticked the box marked “Monitor traffic only” on
the IPS WUI page.
I have “Monitor traffic only” unchecked which means to me that the IPS would take action on this rule.
BUT what is interesting, is that I can still access my email, so I dont think the IPS is blocking this connection, I guess it is just reporting.
Searching on the error message I found this in the suricata docs.
applayer_detect_protocol_only_one_direction
Protocol detection only succeeded in one direction. For FTP and SMTP this is expected.
Thank you for looking this up and confirming one direction is normal.
So if you want to get rid of those messages for your smtp communication with your mail server then you need to figure out which rule(s) in the rulesets you have enabled is giving this message and disable the specific rule(s)
I think this is a good suggestion, but being new to all this, I am not sure how to do that. But I see I can whitelist IP addresses in IPFire. I am going to try whitelisting my email server IP address and see if this gets rid of the message. If not, I will dig into things further and report back…