[Snort-users] SID 1549 alerts -- what the heck is this ?

Fritsche, Jeff jeff.fritsche at ...9211...
Fri May 16 13:28:08 EDT 2003


Getting a bunch of these.   Why the alarms ???

NOTE:   the "HELO xxx-xxx-xxx-xxx.xxxxx xxxxxxxx."  had our server ip
address and company name in it so I "x"'d them out.

Thanks


[**] SMTP HELO overflow attempt [**]
05/16-15:04:39.440732 200.77.249.165:1982 -> xxx.xxx.xxx.xx:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:75
***AP*** Seq: 0x7A546B80  Ack: 0xF40B73B1  Win: 0x410F  TcpLen: 20
0x0000: 00 08 A1 11 04 3D 00 40 10 12 C0 B4 08 00 45 10  .....=. at ...9212...
0x0010: 00 4B 00 00 00 00 F0 06 00 00 C8 4D F9 A5 C0 A8  .K.........M....
0x0020: A8 0D 07 BE 00 19 7A 54 6B 80 F4 0B 73 B1 50 18  ......zTk...s.P.
0x0030: 41 0F 00 00 00 00 48 45 4C 4F 20 xx xx xx 2D xx  A.....HELO xxx-x
0x0040: xx xx 2D xx xx xx 2D xx xx xx 2E xx xx xx xx xx  xx-xxx-xxx.xxxxx
0x0050: xx xx xx xx xx xx xx xx 0D                       xxxxxxxx.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+








More information about the Snort-users mailing list