[Snort-users] VIRUS OUTBOUND .pif file attachment

Erek Adams erek at ...950...
Thu Sep 4 22:10:06 EDT 2003


On Thu, 4 Sep 2003, Stevo wrote:

> Got a questions about the [snort] VIRUS OUTBOUND .pif file attachment rule.
> I'm seeing a billion of these in my logs and don't really understand the
> rule.  My mail server is 63.145.201.15 and from the rule it appears that my
> mail server is connecting to other mail servers on port 25 and Snort is
> picking up that I'm sending a .pif file attachment.
>
> [snort] VIRUS OUTBOUND .pif file attachment        2003-09-03 10:00:06
> 63.145.201.15:29180        216.144.69.88:25        TCP
>
> However...
>
> When I look at the details for the event it appears that the email is from
> an outside domain and being sent into our email domain... see below... from
> extra at ...10027... to corporate at ...10028...  Imandi.com is our email domain,
> so this message is actually being sent inbound!  Am I understanding this
> correctly??

Well, I'm guessing you forgot to add whatever was to be 'below'.  :)



More information about the Snort-users mailing list