[Snort-users] VIRUS OUTBOUND .pif file attachment
erek at ...950...
Thu Sep 4 22:10:06 EDT 2003
On Thu, 4 Sep 2003, Stevo wrote:
> Got a questions about the [snort] VIRUS OUTBOUND .pif file attachment rule.
> I'm seeing a billion of these in my logs and don't really understand the
> rule. My mail server is 220.127.116.11 and from the rule it appears that my
> mail server is connecting to other mail servers on port 25 and Snort is
> picking up that I'm sending a .pif file attachment.
> [snort] VIRUS OUTBOUND .pif file attachment 2003-09-03 10:00:06
> 18.104.22.168:29180 22.214.171.124:25 TCP
> When I look at the details for the event it appears that the email is from
> an outside domain and being sent into our email domain... see below... from
> extra at ...10027... to corporate at ...10028... Imandi.com is our email domain,
> so this message is actually being sent inbound! Am I understanding this
Well, I'm guessing you forgot to add whatever was to be 'below'. :)
More information about the Snort-users