OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Snort SMTP expn-root
From: Rob Wilson (r.wilsonBUSINESSHEALTH.CO.UK)
Date: Fri Jul 07 2000 - 04:04:24 CDT

Last night around 7pm GMT I received snort log as follows

[**] IDS031 - SMTP-expn-root [**]
207.126.127.68:42606 -> x.x.x.x:25 TCP TTL:233 TOS:0x0 ID:61874 DF
*****PA* Seq: 0xC28B7227 Ack: 0x5FACF5 Win: 0xFAF0

[**] IDS031 - SMTP-expn-root [**]
207.126.127.68:42606 -> x.x.x.x:25 TCP TTL:233 TOS:0x0 ID:61879 DF
*****PA* Seq: 0xC28B8C73 Ack: 0x5FACF5 Win: 0xFAF0

[**] IDS031 - SMTP-expn-root [**]
207.126.127.68:34311 -> x.x.x.x:25 TCP TTL:233 TOS:0x0 ID:49174 DF
*****PA* Seq: 0x9A7582A5 Ack: 0x658D85 Win: 0xFAF0

[**] IDS031 - SMTP-expn-root [**]
207.126.127.68:34311 -> x.x.x.x:25 TCP TTL:233 TOS:0x0 ID:49179 DF
*****PA* Seq: 0x9A759CF1 Ack: 0x658D85 Win: 0xFAF0

Any clues ?

Rob

-----Original Message-----
From: Oxenreider, Jeff [mailto:joxSAFELITE.COM]
Sent: 06 July 2000 13:24
To: INCIDENTSSECURITYFOCUS.COM
Subject: Snort SMTP expn-root

Last night at around 7pm EST I got these two log entries from my IDS server.

Jul 5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244
-> XXX.XXX.XXX.10:25
Jul 5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244
-> XXX.XXX.XXX.10:25

Weird thing is that originating IP address is "lists.securityfocus.com".
I've been on these lists for over a month and this is the first time I've
ever seen this message come up in my IDS.

Anyone know why this may occur that I'm missing?

Jeffrey A. Oxenreider
Network Security Analyst
Safelite Glass Corp