cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
750
Views
0
Helpful
1
Replies

why is this event trapping?

greg.dzurinda
Level 1
Level 1

Using AMP8150 with 5.3.0.3

I see a sig tripping that shouldn't be. 1:655:16. 

Sig:

alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16; )

The device is able to detect the system is a Windows system with network/host discovery- obviously not running Sendmail. Why does this rule keep firing when Sourcefire sees Sendmail is not running?

1 Reply 1

Dennis Perto
Level 5
Level 5

Because somebody is trying to use an sendmail exploit on your windows server. 

You are not vulnerable, but they are still trying. 

Review Cisco Networking for a $25 gift card