Version 3.x did not track TCP session state and could not tell which direction a connection was being made. It would only look at the destination port of the packets. If the SMTP session has a source port of 25 and a destination port of 25, then a version 3.x sensor woudl fire twice because it would see the string destined to port 25 in both directions.
Version 4.x does have TCP session state tracking. So a version 4.x sensor can tell which machine is the client and which the server and will only alarm for traffic from the client to the server port 25.
If this a version 4.x sensor or the traffic is not from port 25 to port 25, then there may be another explanation.
Is your mail server forwarding the mail to another server? If so then that could fire the alarm as well.
1) I think normal SMTP connection is from port > 1024 to port 25 (not from 25 to 25). Am I right? Can it be a problem?
2) I enabled LOG for a signature on the sensor. IPLOG for our IP address shows communication from remote IP to our mailserver port 25 (attempt of remote server to send us a virus). But we have 2 alerts at the same time. Bug or feature?
I am not familiar enough with SMTP to know what are the common ports used.
Can you paste in a copy of the alerts?
If you need to you can mask the 2 addresses by setting xxx.xxx for the first 2 octets. The last 2 octects should be enough to properly detect traffic directions.
What I would look for is if this is 2 alarms on the same connection, or 2 alarms with 2 different connections between the same ips, or 2 alarms with an alarm for a connection to one ip and a second alarm for a connection to a different ip.
In addition, when you look at "show iplog-status" do you see an iplog for both the external address and your mail server.
You need to download and analyze both these iplogs to ensure you see both connections.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...