Hi, for the last week i have been seing tons of this signature alert firing, now the explanation of this signature in NSDB is :"Triggers on any mail message with a pipe (|) symbol in the From: field".
i don't have sendmail , all these signatures are firing when trying to go through my mail filters. i have tuned it from before to drop the packet and produce an alert , but why tons of signatures this week and from different source addresses ? is this legitimate traffic i'm blocking ?
It is very possible you are blocking legit traffic. As you've noted, the signature is only looking for a pipe character which was a vulnerability in sendmail 8 years ago! We've disabled it a LONG time ago due to the noise and the fact that sendmail was patched eons ago (if you are even using it).
They could very well be trying to exploit this extremely old vulnerability. Look at a packet capture. Do the mail transactions triggering these alarms look legitimate? Research the sources of these alarms. Is there a single source or multiple? Are the sources trusted or well known entities? If not, do they show up in any black lists? Answering these questions might help you decide what to do from a response/tuning perspective.
Unless you don't have something better to do (i.e. more important alarms to investigate) I don't know that I'd spend a whole lot of time on these. Follow attmidsteam's advice and disable the sig and move on.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...