I keep getting these IPS alerts with the source of my ASG, and the destination of my mail server. Now, the server isn't susceptible to this attack, but I don't get why they are occurring. There are no packets in the log from the outside at this time. I am using the SMTP proxy in both directions. I would appreciate any input. Thanks.
Here is a sample alert:
Intrusion Protection Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: SMTP MAIL FROM overflow attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=2590
Time...........: 2006:12:22-18:11:27
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Attempted Administrator Privilege Gain IP protocol....: 6 (TCP)
Source IP address: 192.168.10.254 (***.***.***)
- http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.10.254
- http://www.ripe.net/perl/whois?query=192.168.10.254
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.168.10.254
- http://cgi.apnic.net/apnic-bin/whois.pl?search=192.168.10.254
Source port: 37797
Destination IP address: 192.168.10.2
- http://www.dnsstuff.com/tools/ptr.ch?ip=192.168.10.2
- http://www.ripe.net/perl/whois?query=192.168.10.2
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.168.10.2
- http://cgi.apnic.net/apnic-bin/whois.pl?search=192.168.10.2
Destination port: 25 (smtp)
Event buffering has been activated. Further Intrusion Protection events will be collected and sent to you when the collection period has expired.
If more events occur, this period will be increased.
This thread was automatically locked due to age.
