Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsSuspicious activity457SMB Short PasswordBase Event:Details:Response:Affected:SMB_SHORT_PASSWORDA logon attempt was made with a short password (under 4 chars).If seen in sufficient volume or variation, and other suspicious factors exist, audit of client andserver is recommended. Examination of the packet contents may provide some additionalinformation about the particular command.No specific targets.False Positives: None known.ReferencesCAN-1999-0518SMB InformationSMTP Bad Email AddressBase Event:Details:Response:Affected:SMTP_BAD_EMAIL_ADDRESSA recipient’s email address did not conform to the RFC. This may indicate an attempt to exploit aaddress handling vulnerability on the server.If seen in sufficient volume or variation, and other suspicious factors exist, audit of client andserver is recommended. Examination of the packet contents may provide some additionalinformation about the particular command.No specific targets.False Positives: It is possible this is simply a user or server configuration error.ReferencesSMTP SpecificationsSMTP EXPN denial-of-serviceBase Event:Details:Response:Affected:SMTP_EXPN_DOSThe client sent an invalid EXPN response to an SMTP request. The response may crash the server.An audit of the client and server is recommended.No specific targets.False Positives: None known.ReferencesSMTP SpecificationsSMTP Login FailedBase Event:Details:Response:Affected:SMTP_AUTHENTICATION_FAILEDThis corresponds to a SMTP response code of 535 being detected. Large numbers of these mayindicate someone attempting to compromise a mail account.Response typically involves locating the source and verifying if it is a legitimate client or not.No specific targets.False Positives: None known.ReferencesSMTP Specifications