RE: [Snort-users] ATTACK-RESPONSES id check returned root

That would be true...if we had a smtp server, but we don't.

None of our machines handle email, we use a third party.  So why would we
ever see this normally?  The only 25 we should see normally is outbound
directly to our real server.

But yes, we do see legit emails hitting this when we POP our mail (obviously
not with web mail clients...).


Sincerely,

James Friesen, CIO

Lucretia Enterprises
"Our World Is Here..."
Info at lucretia dot ca
http://lucretia.ca


> > I see this so often I've revised this sid (498 I think) to ignore
> > anything coming via POP port 110.  If I see it on 25 I get
> worried...
> >
> Why?  If you see it on port 25, it's just incoming email.
> Look at the payload.  You'll see that it's an email passing
> through your stmp server.
>
> Paul Schmehl (pauls@utdallas.edu)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users