Cisco Support Community
Community Member

Strange alert on 3130: Mimail Virus

Looks like every time someone is trying to send email with the virus to our mail server we're getting two alerts on IDS: one with source IP of attacker and one with source IP of our email server.

I tried to enable IPLOG for this signature and got dumps of SMTP sessions. In both cases sessions initiated from remote attacker (our mail server just ACK TCP transfers)..

Cisco Employee

Re: Strange alert on 3130: Mimail Virus

Is this a version 3.x sensor?

Version 3.x did not track TCP session state and could not tell which direction a connection was being made. It would only look at the destination port of the packets. If the SMTP session has a source port of 25 and a destination port of 25, then a version 3.x sensor woudl fire twice because it would see the string destined to port 25 in both directions.

Version 4.x does have TCP session state tracking. So a version 4.x sensor can tell which machine is the client and which the server and will only alarm for traffic from the client to the server port 25.

If this a version 4.x sensor or the traffic is not from port 25 to port 25, then there may be another explanation.

Is your mail server forwarding the mail to another server? If so then that could fire the alarm as well.

Community Member

Re: Strange alert on 3130: Mimail Virus

Thanks a lot,

I'll double check everything.

We're running 4.x sensors.

Few things:

1) I think normal SMTP connection is from port > 1024 to port 25 (not from 25 to 25). Am I right? Can it be a problem?

2) I enabled LOG for a signature on the sensor. IPLOG for our IP address shows communication from remote IP to our mailserver port 25 (attempt of remote server to send us a virus). But we have 2 alerts at the same time. Bug or feature?

Cisco Employee

Re: Strange alert on 3130: Mimail Virus

I am not familiar enough with SMTP to know what are the common ports used.

Can you paste in a copy of the alerts?

If you need to you can mask the 2 addresses by setting for the first 2 octets. The last 2 octects should be enough to properly detect traffic directions.

What I would look for is if this is 2 alarms on the same connection, or 2 alarms with 2 different connections between the same ips, or 2 alarms with an alarm for a connection to one ip and a second alarm for a connection to a different ip.

In addition, when you look at "show iplog-status" do you see an iplog for both the external address and your mail server.

You need to download and analyze both these iplogs to ensure you see both connections.

Community Member

Re: Strange alert on 3130: Mimail Virus

Thanks a lot,

I checked mailserver log files and found that server tried to relay infected messages to appropriate destination (valid operation, no virus check in transit, only on destination).

Thanks a lot for your help!

CreatePlease to create content