[Snort-users] VIRUS OUTBOUND .pif file attachment
checkpoint at ...9765...
Thu Sep 4 12:23:17 EDT 2003
Got a questions about the [snort] VIRUS OUTBOUND .pif file attachment rule.
I'm seeing a billion of these in my logs and don't really understand the
rule. My mail server is 220.127.116.11 and from the rule it appears that my
mail server is connecting to other mail servers on port 25 and Snort is
picking up that I'm sending a .pif file attachment.
[snort] VIRUS OUTBOUND .pif file attachment 2003-09-03 10:00:06
18.104.22.168:29180 22.214.171.124:25 TCP
When I look at the details for the event it appears that the email is from
an outside domain and being sent into our email domain... see below... from
extra at ...10027... to corporate at ...10028... Imandi.com is our email domain,
so this message is actually being sent inbound! Am I understanding this
More information about the Snort-users