[Snort-users] RE: [Snort-sigs] Outbound string contains c m d.exe, but from whe re?
MCessna at ...3439...
Thu Jan 24 08:20:08 EST 2002
Since the source of your packets is the same (209.128.247:%PORT%)...What is
that ip? Is it one of your ip's? Also I have seen this rule triggered quite
a lot with Exchange Web Mail. Do you have Web Mail Servers on your Net? My
snort gets really pissed off whenever I read my snort mail over the web!
From: Noller, Gregory [mailto:Noller2G at ...4290...]
Sent: Thursday, January 24, 2002 10:17 AM
To: snort-sigs at lists.sourceforge.net;
'snort-users at lists.sourceforge.net'
Subject: [Snort-sigs] Outbound string contains c m d.exe, but from
Oh great wizards of snort....are any of you seeing outbound c m d . e x e
where it ought not to be?
I am seeing the following string in some infrequent packets exiting my nat
router that sits in front of my outbound proxy array:
More information about the Snort-users