Originally posted here by tolstoy


If ident is triggering these snort alerts, the original destination port listed in the alert should be 113. In some of the alerts you have posted, I have seen other destination ports referneced beside 113. I would not chalk this one up to ident traffic originating from your sendmail box unless all of your alerts specifically reference 113 (unless of course ident uses other ports I am unaware of).
Gee thanks tolstoy, that just made my day

Fact of the matter is, we still have one or two slipping through (even after we reconfigured the firewall), we did manage to stop about 90% of the messages though. We can't shutdown all Ident coming out of sendmail because when we tried, all inbound e-mail was stopped. We are still investigating the one or two that are coming in but the may be because of this port thing, or something else is sending out a request.

The adventure continues.....