Unauthorized Mail Servers Monitor (10027 / 20027)

Description

This Module detects internal hosts running unauthorized mail servers. It monitors ingress traffic over TCP protocol and destination ports 25 or 465 sent to hosts which are not designated mail servers. The Module reports all detected unauthorized email servers.

Parameters

Parameter Name	Description	Comments
Data Collection Interval, sec	Module logic execution interval	min = 10 sec, max = 3600 sec, default = 600 sec
Known local mail servers (ipv4_dst_addr) list	List of IP addresses of known mail servers to be excluded from reporting

Input

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.

Required NetFlow Fields

Information Element (IE)	IE id	IE size, B	Description
destinationIPv4Address	12	4	The IPv4 destination address in the IP packet header
protocolIdentifier	4	1	The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry.
destinationTransportPort	11	2	The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.
octetDeltaCount	1	4 or 8	The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload.

Syslog/JSON Message Fields

Key	Field Description	Comments
nfc_id	Message type identifier	"nfc_id=20027"
exp_ip	NetFlow exporter IPv4 address	<IPv4_address>
dest_ip	Destination host IPv4 address	<IPv4_address>
bytes_out	Bytes total (Traffic)	<number>
num_conn	Number of flows initiated by the source host	<number>
min_bytes	Minimal bytes number in a flow	<number>
max_bytes	Maximum bytes number in a flow	<number>
t_int	Observation time interval, msec	<number>