Snort mailing list archives
VIRUS OUTBOUND .pif file attachment
From: "Stevo" <checkpoint () ozbergs com>
Date: Thu, 4 Sep 2003 11:12:35 -0700
Hey Guys, Got a questions about the [snort] VIRUS OUTBOUND .pif file attachment rule. I'm seeing a billion of these in my logs and don't really understand the rule. My mail server is 63.145.201.15 and from the rule it appears that my mail server is connecting to other mail servers on port 25 and Snort is picking up that I'm sending a .pif file attachment. [snort] VIRUS OUTBOUND .pif file attachment 2003-09-03 10:00:06 63.145.201.15:29180 216.144.69.88:25 TCP However... When I look at the details for the event it appears that the email is from an outside domain and being sent into our email domain... see below... from extra () eDiets com to corporate () imandi com. Imandi.com is our email domain, so this message is actually being sent inbound! Am I understanding this correctly?? Thanks --Steve ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VIRUS OUTBOUND .pif file attachment Stevo (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Brian (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Erek Adams (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 05)
- Re: VIRUS OUTBOUND .pif file attachment Erek Adams (Sep 05)
- Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 08)
- Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 05)