Snort mailing list archives

Previous By Date Next
Previous By Thread Next

VIRUS OUTBOUND .pif file attachment

From: "Stevo" <checkpoint () ozbergs com>
Date: Thu, 4 Sep 2003 11:12:35 -0700
Hey Guys,

Got a questions about the [snort] VIRUS OUTBOUND .pif file attachment rule.
I'm seeing a billion of these in my logs and don't really understand the
rule.  My mail server is 63.145.201.15 and from the rule it appears that my
mail server is connecting to other mail servers on port 25 and Snort is
picking up that I'm sending a .pif file attachment.

[snort] VIRUS OUTBOUND .pif file attachment        2003-09-03 10:00:06
63.145.201.15:29180        216.144.69.88:25        TCP

However...

When I look at the details for the event it appears that the email is from
an outside domain and being sent into our email domain... see below... from
extra () eDiets com to corporate () imandi com.  Imandi.com is our email domain,
so this message is actually being sent inbound!  Am I understanding this
correctly??

Thanks

--Steve




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: