[Snort-sigs] Bleeding addition

Matthew Jonkman matt at ...2436...
Mon Jun 28 14:41:01 EDT 2004

Absolutely. If the security team isn't aware of something it needs to be 
ferreted out. This rule will help you there as well. Good point Adrian.


Adrian Marsden wrote:

> I'd be inclined to say that if you have undocumented SMTP servers within your network then you have a bigger problem. By documented I mean that they would be delineated in the SMTP_SERVERS variable for the rule we are discussing. If it isn't in that variable then it probably shouldn't be on the production network. Even then the domains pointed to in the usual user's address book shouldn't be able to be found without the appropriate MX records for the undocumented internal mail server. If it is and the server is rogue/undocumented then you are in big trouble.

More information about the Snort-sigs mailing list