Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
749
Views
0
Helpful
1
Replies

why is this event trapping?

greg.dzurinda
Level 1
Level 1

‎11-05-2015 05:19 AM - edited ‎03-10-2019 06:29 AM

Using AMP8150 with 5.3.0.3

I see a sig tripping that shouldn't be. 1:655:16. 

Sig:

alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16; )

The device is able to detect the system is a Windows system with network/host discovery- obviously not running Sendmail. Why does this rule keep firing when Sourcefire sees Sendmail is not running?

Labels:
0 Helpful
1 Reply 1

Dennis Perto
Level 5
Level 5

‎11-17-2016 10:04 AM

Because somebody is trying to use an sendmail exploit on your windows server. 

You are not vulnerable, but they are still trying. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card