Unauthorized Mail Servers Monitor (10027 / 20027)

Description

This Module detects internal hosts running unauthorized mail servers. It monitors ingress traffic over TCP protocol and destination ports 25 or 465 sent to hosts which are not designated mail servers. The Module reports all detected unauthorized email servers.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 3600 sec, default = 600 sec
Known local mail servers (ipv4_dst_addr) list
List of IP addresses of known mail servers to be excluded from reporting

Input

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.

Required NetFlow Fields

Information Element (IE)
IE id
IE size, B
Description
destinationIPv4Address
12
4
The IPv4 destination address in the IP packet header
protocolIdentifier
4
1
The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry.
destinationTransportPort
11
2
The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.
octetDeltaCount
1
4 or 8
The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20027"
exp_ip
NetFlow exporter IPv4 address
<IPv4_address>
dest_ip
Destination host IPv4 address
<IPv4_address>
bytes_out
Bytes total (Traffic)
<number>
num_conn
Number of flows initiated by the source host
<number>
min_bytes
Minimal bytes number in a flow
<number>
max_bytes
Maximum bytes number in a flow
<number>
t_int
Observation time interval, msec
<number>
Last modified 1yr ago