Snort mailing list archives

chameleon overflow

From: Matt Hand <matt () bitflip com>
Date: Fri, 8 Jun 2001 13:20:57 -0500


  I was checking through yesterday's logs and ran across a SMTP chameleon overflow, which is unusual for us. The logs 
are from a machine running DNS and acting as our mail server. 

  The arachNIDs database says its unlikely the ip address was spoofed so I checked and it belongs to cheetahmail.com. 
Has anyone experienced anything similar and, if so, what did you do about it? 

  In any case, here are the relevant lines from the log file:

<snip>
Jun  7 16:27:05 chia snort: SMTP chameleon overflow: 206.132.30.40:41226 -> 207.252.45.6:25
Jun  7 16:27:05 chia named[517]: "optonline.net IN MX" points to a CNAME (mail-relay.optonline.net)
Jun  7 16:27:05 chia named[517]: "optonline.net IN MX" points to a CNAME (mail-hub.optonline.net)
</snip>

  Thanks for the help.

Matt Hand
matt () bitflip com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

chameleon overflow Matt Hand (Jun 08)
- Re: chameleon overflow Ralf Hildebrandt (Jun 08)
- Re: chameleon overflow Paulie (Jun 08)
  - Re: chameleon overflow Brian Caswell (Jun 08)
- <Possible follow-ups>
- Re: chameleon overflow Matthew Collins (Jun 11)
  - CVS or 1.7? Jay Moore (Jun 11)
    - Re: CVS or 1.7? Andreas Hasenack (Jun 11)