hi
i have a question about snort .i am very confused
may you help me please .
my problem is :
i have a mail server(mail server ip=62.60.183.20 ) in my network and i
wrote a rule same as:
alert tcp any any -> 62.60.183.20 !25
when i run snort a see alerts in my network same as :
07/26-22:09:53.036073 213.217.12.42:25 -> 62.60.183.20:58697
TCP TTL:55 TOS:0x0 ID:15871 IpLen:20 DgmLen:74 DF
***AP*** Seq: 0x64ECE01A Ack: 0xCC8E10E3 Win: 0xE070 TcpLen: 32
TCP Options (3) => NOP NOP TS: 433629700 94532431
i have many of this alerts.
i can not underestand what happend.
why client's port is 25 .
do this packet is intrusion??
i have this problem with all of my servers in network.
how can i fix it??