Security Incidents mailing list archives
Re: Snort SMTP expn-root
From: billp () ROCKETCASH COM (Bill Pennington)
Date: Thu, 6 Jul 2000 16:15:50 -0700
The expn-root detect looks for the string expn root in incoming SMTP traffic. In this case the messages flying around about the tin.it guys caused the alert. "Oxenreider, Jeff" wrote:
Last night at around 7pm EST I got these two log entries from my IDS server. Jul 5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244 -> XXX.XXX.XXX.10:25 Jul 5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244 -> XXX.XXX.XXX.10:25 Weird thing is that originating IP address is "lists.securityfocus.com". I've been on these lists for over a month and this is the first time I've ever seen this message come up in my IDS. Anyone know why this may occur that I'm missing? Jeffrey A. Oxenreider Network Security Analyst Safelite Glass Corp
-- Bill Pennington Senior IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
Current thread:
- Fwd: [Fw: Ive been broken into ], (continued)
- Fwd: [Fw: Ive been broken into ] JEFF WATSON (Jul 05)
- version.bind from zen.isi.edu Patrick Oonk (Jul 05)
- Re: scan log and subsequent response from the host's ISP Patrick Oonk (Jul 05)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 05)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 05)
- Re: scan log and subsequent response from the host's ISP Talisker (Jul 10)
- Re: scan log and subsequent response from the host's ISP Pauel Loshkin (Jul 05)
- how to close security holes from nessus vulnerability scan report ? Chew Poh Chang (CAPL) (Jul 06)
- Snort SMTP expn-root Oxenreider, Jeff (Jul 06)
- Re: Snort SMTP expn-root Joe McAlerney (Jul 06)
- Re: Snort SMTP expn-root Bill Pennington (Jul 06)
- Re: Snort SMTP expn-root dyer (Jul 06)
- Simultaneous Attacks Harlan S. Barney, Jr. (Jul 06)
- Re: Simultaneous Attacks Valdis Kletnieks (Jul 07)
- Re: Simultaneous Attacks Ryan Russell (Jul 07)
- Ehm... what? (Re: Simultaneous Attacks) Martin Macok (Jul 11)
- Re: Simultaneous Attacks Richard Bejtlich (Jul 11)
- Re: scan log and subsequent response from the host's ISP Ejovi Nuwere (Jul 06)
- Re: scan log and subsequent response from the host's ISP Brooke, O'Neil (Jul 06)
- Re: scan log and subsequent response from the host's ISP Jason Storm (Jul 07)
- 6200/tcp Werner Iknaroff-Zhikovsky (Jul 09)