Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SMTP IPS block problem

I setup ID 3110 (suspicious mail attachment)to deny attacker inline thinking that nobody needs to send those type of attachments and it would cut down on virus's. Worked fine until today when someone internal tried to send one and the IPS blocked my internal smtp server from going to the internet. Is there a way of setting up execptions in the IPS so that my internal IP range is allways allowed access? Or is there a better way of doing this?

Thanks for the help.

1 REPLY
Gold

Re: SMTP IPS block problem

We've seen false positives with that signature, but YMMV...they've modified it recently so maybe it's fixed.

anyway, to answer your question...there are two ways to handle this.

1) Use an event filter to subtract the action from the alarm. The mail server source ip would part of the criteria in the filter. You might want to consider creating an event variable for your entire DMZ and creating an event filter that subtracts any of the "deny" actions if DMZ=source. See Event Action Rules->Even Action Filters in the IDM.

2) add the source ip or network to the "never block addresses". See Blocking->Blocking Properties in the IDM. I don't believe this works for actions that are "deny"...you'll need an event filter for those.

214
Views
0
Helpful
1
Replies