Mass Mailing Worm Alerts

Unanswered Question
May 14th, 2009

Hi, I've created a drop rule for legitimate email traffic that is being reported as 'Mass Mailing Worm' incidents. My problem is that some of the source addresses I've added to the drop rule (log to database only) are still showing up as incidents. Can anyone help please.

Kind Regards

Terry

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Mon, 05/18/2009 - 06:09

Can you post more details about your configuration (drop rules).

Regards

Farrukh

terry.tolan Mon, 05/18/2009 - 07:53

Hi Farrukh

Source & Destination IP's: contain the correct IP info ie known source IP's for incoming emails in the source column & a list of the exchange server IP's in the destination column. Service Name: src port: any / dst port: 25 / proto: TCP. Event: Built/teardown/permitted IP connection. Device: ANY. Severity: ANY. Action: Log to DB only. Time-range: ANY. The drop rule status is active. If you need anymore info let me know.

Kind Regards

Terry

jnelson25 Mon, 05/18/2009 - 09:09

I handled this particular issue without using a drop rule because it was easier when reviewing logs. I simply changed the source IP in the "System Rule: Client Exploit - Mass Mailing Worm" from "ANY" to "!=".

So I don't know if this will work in your situation, but if you're only trying to exclude your mail servers, just list them all as exceptions in your inspection rule. You'll find that not only will those connections no longer trigger an incident, they will also not be logged as "mass mailing worm" events.

Farrukh Haroon Mon, 05/18/2009 - 12:39

Btw, which version of MARS are you running?

There is well-known bug in version 6.0.2 which causes drop rules to not function at all. There is a patch/fix available on CCO for this.

Regards

Farrukh

terry.tolan Tue, 05/19/2009 - 00:42

We are now running version 6.0.3, but were running 6.0.2 when the drop was initially created.

Actions

This Discussion