[Snort-users] ATTACK-RESPONSES id check returned root
Our World Is Here
info at ...2282...
Wed Oct 26 08:05:40 EDT 2005
That would be true...if we had a smtp server, but we don't.
None of our machines handle email, we use a third party. So why would we
ever see this normally? The only 25 we should see normally is outbound
directly to our real server.
But yes, we do see legit emails hitting this when we POP our mail (obviously
not with web mail clients...).
James Friesen, CIO
"Our World Is Here..."
Info at lucretia dot ca
> > I see this so often I've revised this sid (498 I think) to ignore
> > anything coming via POP port 110. If I see it on 25 I get
> Why? If you see it on port 25, it's just incoming email.
> Look at the payload. You'll see that it's an email passing
> through your stmp server.
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
More information about the Snort-users