05-14-2009 02:26 AM
Hi, I've created a drop rule for legitimate email traffic that is being reported as 'Mass Mailing Worm' incidents. My problem is that some of the source addresses I've added to the drop rule (log to database only) are still showing up as incidents. Can anyone help please.
Kind Regards
Terry
05-18-2009 06:09 AM
Can you post more details about your configuration (drop rules).
Regards
Farrukh
05-18-2009 07:53 AM
Hi Farrukh
Source & Destination IP's: contain the correct IP info ie known source IP's for incoming emails in the source column & a list of the exchange server IP's in the destination column. Service Name: src port: any / dst port: 25 / proto: TCP. Event: Built/teardown/permitted IP connection. Device: ANY. Severity: ANY. Action: Log to DB only. Time-range: ANY. The drop rule status is active. If you need anymore info let me know.
Kind Regards
Terry
05-18-2009 09:09 AM
I handled this particular issue without using a drop rule because it was easier when reviewing logs. I simply changed the source IP in the "System Rule: Client Exploit - Mass Mailing Worm" from "ANY" to "!=
So I don't know if this will work in your situation, but if you're only trying to exclude your mail servers, just list them all as exceptions in your inspection rule. You'll find that not only will those connections no longer trigger an incident, they will also not be logged as "mass mailing worm" events.
05-18-2009 12:39 PM
Btw, which version of MARS are you running?
There is well-known bug in version 6.0.2 which causes drop rules to not function at all. There is a patch/fix available on CCO for this.
Regards
Farrukh
05-19-2009 12:42 AM
We are now running version 6.0.3, but were running 6.0.2 when the drop was initially created.
05-19-2009 11:55 AM
Please download the drop-rules patch from this link:
http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars-misc
For more details
http://ciscomars.blogspot.com/
Regards
Farrukh
05-20-2009 04:35 AM
Thanks for all your help Farrukh.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide