Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
7
Replies

Mass Mailing Worm Alerts

Terry
Level 1
Level 1

‎05-14-2009 02:26 AM

Hi, I've created a drop rule for legitimate email traffic that is being reported as 'Mass Mailing Worm' incidents. My problem is that some of the source addresses I've added to the drop rule (log to database only) are still showing up as incidents. Can anyone help please.

Kind Regards

Terry

Labels:
0 Helpful
7 Replies 7

Farrukh Haroon
VIP Alumni
VIP Alumni

‎05-18-2009 06:09 AM

Can you post more details about your configuration (drop rules).

Regards

Farrukh

0 Helpful

Terry
Level 1
Level 1
In response to Farrukh Haroon

‎05-18-2009 07:53 AM

Hi Farrukh

Source & Destination IP's: contain the correct IP info ie known source IP's for incoming emails in the source column & a list of the exchange server IP's in the destination column. Service Name: src port: any / dst port: 25 / proto: TCP. Event: Built/teardown/permitted IP connection. Device: ANY. Severity: ANY. Action: Log to DB only. Time-range: ANY. The drop rule status is active. If you need anymore info let me know.

Kind Regards

Terry

0 Helpful

jnelson25
Level 1
Level 1

‎05-18-2009 09:09 AM

I handled this particular issue without using a drop rule because it was easier when reviewing logs. I simply changed the source IP in the "System Rule: Client Exploit - Mass Mailing Worm" from "ANY" to "!=".

So I don't know if this will work in your situation, but if you're only trying to exclude your mail servers, just list them all as exceptions in your inspection rule. You'll find that not only will those connections no longer trigger an incident, they will also not be logged as "mass mailing worm" events.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to jnelson25

‎05-18-2009 12:39 PM

Btw, which version of MARS are you running?

There is well-known bug in version 6.0.2 which causes drop rules to not function at all. There is a patch/fix available on CCO for this.

Regards

Farrukh

0 Helpful

Terry
Level 1
Level 1
In response to Farrukh Haroon

‎05-19-2009 12:42 AM

We are now running version 6.0.3, but were running 6.0.2 when the drop was initially created.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Terry

‎05-19-2009 11:55 AM

Please download the drop-rules patch from this link:

http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars-misc

For more details

http://ciscomars.blogspot.com/

Regards

Farrukh

0 Helpful

Terry
Level 1
Level 1
In response to Farrukh Haroon

‎05-20-2009 04:35 AM

Thanks for all your help Farrukh.

0 Helpful
Customers Also Viewed These Support Documents