[Snort-users] RE: [Snort-sigs] Outbound string contains c m d.exe, but from whe re?

Noller, Gregory Noller2G at ...4290...
Thu Jan 24 08:26:08 EST 2002


The source of the packets is my outbound NAT router in front of my outbound
proxy array.  I have not web based email server.

-----Original Message-----
From: Cessna, Michael [mailto:MCessna at ...3439...]
Sent: Thursday, January 24, 2002 10:16 AM
To: 'Noller, Gregory'; 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-sigs] Outbound string contains c m d.exe, but from whe
re?



Gregory, 
Since the source of your packets is the same (209.128.247:%PORT%)...What is
that ip? Is it one of your ip's? Also I have seen this rule triggered quite
a lot with Exchange Web Mail. Do you have Web Mail Servers on your Net? My
snort gets really pissed off whenever I read my snort mail over the web!

Mike 

-----Original Message----- 
From: Noller, Gregory [ mailto:Noller2G at ...4290...
<mailto:Noller2G at ...4290...> ] 
Sent: Thursday, January 24, 2002 10:17 AM 
To: snort-sigs at lists.sourceforge.net; 
'snort-users at lists.sourceforge.net' 
Subject: [Snort-sigs] Outbound string contains c m d.exe, but from 
where? 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020124/29c1f1a9/attachment.html>


More information about the Snort-users mailing list