Been getting some IPS alerts lately under the SMTP category and I'm trying to determine what exactly is triggering them (trying to tie to a specific SMTP session so I can find out sender and receiver). Trying to determine if they are false positives or not.
I've pulled up each instance in the IPS logs, then go to the SMTP logs to see the traffic around the time of the alert. All alerts have been triggered during normal weekday business hours. Each time, there's a valid message at the exact second of the alert, but something invalid within a second or two preceeding the alert.
Here's my question. Is there going to be a short time lag between something triggering an alert and the IPS log entry being written, or are the time stamps going to match up completely.
The alerts in question are ID 10995 A SMTP possible BDAT DoS attempt and ID 2183 A SMTP Content-Transfer-Encoding overflow attempt. I really wish I could tell what it takes to trigger these, since that would also help as to whether I should continue to pass these packets or drop them.
Thanks.
This thread was automatically locked due to age.
