[Snort-users] RE: [Snort-sigs] Outbound string contains c m d.exe, but from whe re?

Cessna, Michael MCessna at ...3439...
Thu Jan 24 08:20:08 EST 2002

Since the source of your packets is the same (209.128.247:%PORT%)...What is
that ip? Is it one of your ip's? Also I have seen this rule triggered quite
a lot with Exchange Web Mail. Do you have Web Mail Servers on your Net? My
snort gets really pissed off whenever I read my snort mail over the web!

-----Original Message-----
From: Noller, Gregory [mailto:Noller2G at ...4290...]
Sent: Thursday, January 24, 2002 10:17 AM
To: snort-sigs at lists.sourceforge.net;
'snort-users at lists.sourceforge.net'
Subject: [Snort-sigs] Outbound string contains c m d.exe, but from

Oh great wizards of snort....are any of you seeing outbound c m d . e x e
where it ought not to be?

I am seeing the following string in some infrequent packets exiting my nat
router that sits in front of my outbound proxy array:

More information about the Snort-users mailing list