I had the same problem, and did a little googeling. I came up with this thread at a snort mailing list. http://msgs.securepoint.com/cgi-bin/get/snort-0204/540/2.html
I tried out the suggested solution, but it didn't help. I ended up just disabling that rule. Katriel. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Yotam Rubin Sent: Tuesday, June 11, 2002 12:45 PM To: linux ILUG Subject: Re: Snort Messages On Tue, Jun 11, 2002 at 10:18:10AM +0200, Ben-Nes Michael wrote: > Hi All > > Snort is giving me this message every time my primary mail server (exim) > forward a mail to a local one (also exim) > > Jun 10 19:45:34 fr snort[858]: [1:654:3] SMTP RCPT TO overflow > [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: > {TCP} 194.90.15.2:1417 -> 194.90.15.162:25 Not off-hand, but fortunately, snort maintains logs containing the suspicious packets. Just look at the offending packet and compare it to the snort rule. Regards, Yotam Rubin > > > Any idea whats its all about ? > > > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
