Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Mass Mailing Worm Alerts

Hi, I've created a drop rule for legitimate email traffic that is being reported as 'Mass Mailing Worm' incidents. My problem is that some of the source addresses I've added to the drop rule (log to database only) are still showing up as incidents. Can anyone help please.

Kind Regards

Terry

7 REPLIES

Re: Mass Mailing Worm Alerts

Can you post more details about your configuration (drop rules).

Regards

Farrukh

New Member

Re: Mass Mailing Worm Alerts

Hi Farrukh

Source & Destination IP's: contain the correct IP info ie known source IP's for incoming emails in the source column & a list of the exchange server IP's in the destination column. Service Name: src port: any / dst port: 25 / proto: TCP. Event: Built/teardown/permitted IP connection. Device: ANY. Severity: ANY. Action: Log to DB only. Time-range: ANY. The drop rule status is active. If you need anymore info let me know.

Kind Regards

Terry

New Member

Re: Mass Mailing Worm Alerts

I handled this particular issue without using a drop rule because it was easier when reviewing logs. I simply changed the source IP in the "System Rule: Client Exploit - Mass Mailing Worm" from "ANY" to "!=".

So I don't know if this will work in your situation, but if you're only trying to exclude your mail servers, just list them all as exceptions in your inspection rule. You'll find that not only will those connections no longer trigger an incident, they will also not be logged as "mass mailing worm" events.

Re: Mass Mailing Worm Alerts

Btw, which version of MARS are you running?

There is well-known bug in version 6.0.2 which causes drop rules to not function at all. There is a patch/fix available on CCO for this.

Regards

Farrukh

New Member

Re: Mass Mailing Worm Alerts

We are now running version 6.0.3, but were running 6.0.2 when the drop was initially created.

Re: Mass Mailing Worm Alerts

Please download the drop-rules patch from this link:

http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars-misc

For more details

http://ciscomars.blogspot.com/

Regards

Farrukh

New Member

Re: Mass Mailing Worm Alerts

Thanks for all your help Farrukh.

232
Views
0
Helpful
7
Replies
CreatePlease login to create content