Security Incidents mailing list archives

Re: Snort SMTP expn-root

From: billp () ROCKETCASH COM (Bill Pennington)
Date: Thu, 6 Jul 2000 16:15:50 -0700


The expn-root detect looks for the string expn root in incoming SMTP
traffic. In this case the messages flying around about the tin.it guys
caused the alert.

"Oxenreider, Jeff" wrote:


Last night at around 7pm EST I got these two log entries from my IDS server.

Jul  5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244
-> XXX.XXX.XXX.10:25
Jul  5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244
-> XXX.XXX.XXX.10:25

Weird thing is that originating IP address is "lists.securityfocus.com".
I've been on these lists for over a month and this is the first time I've
ever seen this message come up in my IDS.

Anyone know why this may occur that I'm missing?

Jeffrey A. Oxenreider
Network Security Analyst
Safelite Glass Corp


--

Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com

Current thread:

Fwd: [Fw: Ive been broken into ], (continued)
- Fwd: [Fw: Ive been broken into ] JEFF WATSON (Jul 05)
- version.bind from zen.isi.edu Patrick Oonk (Jul 05)
- Re: scan log and subsequent response from the host's ISP Patrick Oonk (Jul 05)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 05)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 05)
  - Re: scan log and subsequent response from the host's ISP Talisker (Jul 10)
- Re: scan log and subsequent response from the host's ISP Pauel Loshkin (Jul 05)
- how to close security holes from nessus vulnerability scan report ? Chew Poh Chang (CAPL) (Jul 06)
- Snort SMTP expn-root Oxenreider, Jeff (Jul 06)
  - Re: Snort SMTP expn-root Joe McAlerney (Jul 06)
  - Re: Snort SMTP expn-root Bill Pennington (Jul 06)
  - Re: Snort SMTP expn-root dyer (Jul 06)
  - Simultaneous Attacks Harlan S. Barney, Jr. (Jul 06)
    - Re: Simultaneous Attacks Valdis Kletnieks (Jul 07)
    - Re: Simultaneous Attacks Ryan Russell (Jul 07)
    - Ehm... what? (Re: Simultaneous Attacks) Martin Macok (Jul 11)
    - Re: Simultaneous Attacks Richard Bejtlich (Jul 11)
- Re: scan log and subsequent response from the host's ISP Ejovi Nuwere (Jul 06)
- Re: scan log and subsequent response from the host's ISP Brooke, O'Neil (Jul 06)
  - Re: scan log and subsequent response from the host's ISP Jason Storm (Jul 07)
  - 6200/tcp Werner Iknaroff-Zhikovsky (Jul 09)

(Thread continues...)