https://community.cisco.com/t5/network-security/why-is-this-event-trapping/m-p/2793399#M44459 <P>Using AMP8150 with 5.3.0.3</P> <P>I see a sig tripping that shouldn't be. 1:655:16.&nbsp;</P> <P>Sig:</P> <P><SPAN>alert tcp $EXTERNAL_NET 113 -&gt; $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16; )</SPAN></P> <P>The device is able to detect the system is a Windows system with network/host discovery- obviously not running Sendmail. Why does this rule keep firing when Sourcefire sees Sendmail is not running?</P> Sun, 10 Mar 2019 13:29:35 GMT greg.dzurinda 2019-03-10T13:29:35Z https://community.cisco.com/t5/network-security/why-is-this-event-trapping/m-p/2793399#M44459 <P>Using AMP8150 with 5.3.0.3</P> <P>I see a sig tripping that shouldn't be. 1:655:16.&nbsp;</P> <P>Sig:</P> <P><SPAN>alert tcp $EXTERNAL_NET 113 -&gt; $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16; )</SPAN></P> <P>The device is able to detect the system is a Windows system with network/host discovery- obviously not running Sendmail. Why does this rule keep firing when Sourcefire sees Sendmail is not running?</P> Sun, 10 Mar 2019 13:29:35 GMT https://community.cisco.com/t5/network-security/why-is-this-event-trapping/m-p/2793399#M44459 greg.dzurinda 2019-03-10T13:29:35Z https://community.cisco.com/t5/network-security/why-is-this-event-trapping/m-p/2793400#M44460 <P>Because somebody is trying to use an sendmail exploit on your windows server.&nbsp;</P> <P>You are not vulnerable, but they are still trying.&nbsp;</P> Thu, 17 Nov 2016 18:04:26 GMT https://community.cisco.com/t5/network-security/why-is-this-event-trapping/m-p/2793400#M44460 Dennis Perto 2016-11-17T18:04:26Z