Security Incidents mailing list archives
Re: Snort SMTP expn-root
From: fernando () BN PT (Fernando Cardoso)
Date: Fri, 7 Jul 2000 09:29:23 +0100
Same happen here. Actually there's a quite simple explanation for that. Here's the signature for the SMTP-exprn-root: alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS31/SMTP-expn-root"; content: "expn root"; flags: AP;) So, basically, everytime a mail message arrives with the words "expn root" in the contents, snort will log it. Since some postings to the list had this words snort alert you for the fact. I advise you to use snort with the -d option (dump application layer). This way you can check the content of the packets logged. Here's what I got: [**] IDS31/SMTP-expn-root [**] 07/06-22:14:57.743613 207.126.127.68:41233 -> x.x.x.x:25 TCP TTL:241 TOS:0x0 ID:49964 DF *****PA* Seq: 0x2D68A42F Ack: 0x45F0628A Win: 0xFAF0 2F 20 20 20 5F 2F 5F 2F 20 20 20 20 20 20 20 20 / _/_/ 20 20 68 74 74 70 3A 2F 2F 77 77 77 2E 74 69 6E http://www.tin 2E 69 74 0D 0A 3E 20 20 20 20 20 20 20 20 20 20 .it..> 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 61 62 ab 75 73 65 40 74 69 6E 2E 69 74 0D 0A 3E 0D 0A 3E use () tin it..>..> 20 2D 2D 2D 2D 2D 20 4F 72 69 67 69 6E 61 6C 20 ----- Original 4D 65 73 73 61 67 65 20 2D 2D 2D 2D 2D 0D 0A 3E Message -----..> 20 46 72 6F 6D 3A 20 42 72 61 64 6C 65 79 20 57 From: Bradley W 6F 6F 64 77 61 72 64 20 3C 62 72 61 64 77 40 61 oodward <bradw@a 6D 69 2E 63 6F 6D 2E 61 75 3E 0D 0A 3E 20 54 6F mi.com.au>..> To 3A 20 3C 61 62 75 73 65 40 74 69 6E 2E 69 74 3E : <abuse () tin it> 0D 0A 3E 20 53 65 6E 74 3A 20 46 72 69 64 61 79 ..> Sent: Friday 2C 20 4A 75 6E 65 20 33 30 2C 20 32 30 30 30 20 , June 30, 2000 [...] 0D 0A 3E 20 20 20 3E 0D 0A 3E 20 20 20 3E 20 3E ..> >..> > > 41 63 74 69 76 65 20 53 79 73 74 65 6D 20 41 74 Active System At 74 61 63 6B 20 41 6C 65 72 74 73 0D 0A 3E 20 20 tack Alerts..> 20 3E 20 3E 3D 2D 3D 2D 3D 2D 3D 2D 3D 2D 3D 2D > >=-=-=-=-=-=- 3D 2D 3D 2D 3D 2D 3D 2D 3D 2D 3D 2D 3D 2D 3D 0D =-=-=-=-=-=-=-=. 0A 3E 20 20 20 3E 20 3E 4A 75 6E 20 33 30 20 31 .> > >Jun 30 1 33 3A 33 35 3A 33 34 20 6D 79 63 6F 6D 70 20 73 3:35:34 mycomp s 65 6E 64 6D 61 69 6C 5B 31 37 38 36 35 5D 3A 20 endmail[17865]: 4E 4F 51 55 45 55 45 3A 20 61 2D 70 65 38 2D 36 NOQUEUE: a-pe8-6 30 2E 74 69 6E 2E 69 74 0D 0A 3E 20 20 20 3E 20 0.tin.it..> > 3E 5B 32 31 32 2E 32 31 36 2E 31 39 30 2E 31 38 >[212.216.190.18 37 5D 3A 20 65 78 70 6E 20 72 6F 6F 74 0D 0A 3E 7]: expn root..> ^^^^^^^^ Fernando _________________________________________________________________ Fernando Cardoso Phone: +351 21 7982186 Network Administrator Fax: +351 217982185 National Library E-mail: fernando () bn pt Portugal PGP ID: 28551CB8
Last night at around 7pm EST I got these two log entries from my IDS server. Jul 5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244 -> XXX.XXX.XXX.10:25 Jul 5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244 -> XXX.XXX.XXX.10:25 Weird thing is that originating IP address is "lists.securityfocus.com". I've been on these lists for over a month and this is the first time I've ever seen this message come up in my IDS. Anyone know why this may occur that I'm missing? Jeffrey A. Oxenreider Network Security Analyst Safelite Glass Corp
Current thread:
- Re: Snort SMTP expn-root Fernando Cardoso (Jul 07)
- <Possible follow-ups>
- Re: Snort SMTP expn-root Rob Wilson (Jul 07)