Re: Snort SMTP expn-root

[fernando () BN PT (Fernando Cardoso)]

Same happen here.

Actually there's a quite simple explanation for that. Here's the signature
for the SMTP-exprn-root:

alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS31/SMTP-expn-root";
content: "expn root"; flags: AP;)

So, basically, everytime a mail message arrives with the words "expn root"
in the contents, snort will log it. Since some postings to the list had this
words snort alert you for the fact.

I advise you to use snort with the -d option (dump application layer). This
way you can check the content of the packets logged. Here's what I got:

[**] IDS31/SMTP-expn-root [**]
07/06-22:14:57.743613 207.126.127.68:41233 -> x.x.x.x:25
TCP TTL:241 TOS:0x0 ID:49964  DF
*****PA* Seq: 0x2D68A42F   Ack: 0x45F0628A   Win: 0xFAF0
2F 20 20 20 5F 2F 5F 2F 20 20 20 20 20 20 20 20  /   _/_/
20 20 68 74 74 70 3A 2F 2F 77 77 77 2E 74 69 6E    http://www.tin
2E 69 74 0D 0A 3E 20 20 20 20 20 20 20 20 20 20  .it..>
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 61 62                ab
75 73 65 40 74 69 6E 2E 69 74 0D 0A 3E 0D 0A 3E  use () tin it..>..>
20 2D 2D 2D 2D 2D 20 4F 72 69 67 69 6E 61 6C 20   ----- Original
4D 65 73 73 61 67 65 20 2D 2D 2D 2D 2D 0D 0A 3E  Message -----..>
20 46 72 6F 6D 3A 20 42 72 61 64 6C 65 79 20 57   From: Bradley W
6F 6F 64 77 61 72 64 20 3C 62 72 61 64 77 40 61  oodward <bradw@a
6D 69 2E 63 6F 6D 2E 61 75 3E 0D 0A 3E 20 54 6F  mi.com.au>..> To
3A 20 3C 61 62 75 73 65 40 74 69 6E 2E 69 74 3E  : <abuse () tin it>
0D 0A 3E 20 53 65 6E 74 3A 20 46 72 69 64 61 79  ..> Sent: Friday
2C 20 4A 75 6E 65 20 33 30 2C 20 32 30 30 30 20  , June 30, 2000
[...]
0D 0A 3E 20 20 20 3E 0D 0A 3E 20 20 20 3E 20 3E  ..>   >..>   > >
41 63 74 69 76 65 20 53 79 73 74 65 6D 20 41 74  Active System At
74 61 63 6B 20 41 6C 65 72 74 73 0D 0A 3E 20 20  tack Alerts..>
20 3E 20 3E 3D 2D 3D 2D 3D 2D 3D 2D 3D 2D 3D 2D   > >=-=-=-=-=-=-
3D 2D 3D 2D 3D 2D 3D 2D 3D 2D 3D 2D 3D 2D 3D 0D  =-=-=-=-=-=-=-=.
0A 3E 20 20 20 3E 20 3E 4A 75 6E 20 33 30 20 31  .>   > >Jun 30 1
33 3A 33 35 3A 33 34 20 6D 79 63 6F 6D 70 20 73  3:35:34 mycomp s
65 6E 64 6D 61 69 6C 5B 31 37 38 36 35 5D 3A 20  endmail[17865]:
4E 4F 51 55 45 55 45 3A 20 61 2D 70 65 38 2D 36  NOQUEUE: a-pe8-6
30 2E 74 69 6E 2E 69 74 0D 0A 3E 20 20 20 3E 20  0.tin.it..>   >
3E 5B 32 31 32 2E 32 31 36 2E 31 39 30 2E 31 38  >[212.216.190.18
37 5D 3A 20 65 78 70 6E 20 72 6F 6F 74 0D 0A 3E  7]: expn root..>

        
^^^^^^^^
Fernando

_________________________________________________________________
Fernando Cardoso                        Phone:  +351 21 7982186
Network Administrator           Fax:            +351 217982185
National Library                        E-mail: fernando () bn pt
Portugal                                PGP ID: 28551CB8

> Last night at around 7pm EST I got these two log entries from
> my IDS server.
>
> Jul  5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root:
> 207.126.127.68:53244
> -> XXX.XXX.XXX.10:25
> Jul  5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root:
> 207.126.127.68:53244
> -> XXX.XXX.XXX.10:25
>
> Weird thing is that originating IP address is
> "lists.securityfocus.com".
> I've been on these lists for over a month and this is the
> first time I've
> ever seen this message come up in my IDS.
>
> Anyone know why this may occur that I'm missing?
>
>
> Jeffrey A. Oxenreider
> Network Security Analyst
> Safelite Glass Corp