Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
3
Replies

Netsky and IDS Sensor

elioalvarado
Level 1
Level 1

‎02-17-2005 05:33 PM - edited ‎03-10-2019 01:17 AM

Hello!

My doubt is with respect to the NetSky virus and the form in which the sensorial IDS stops it. The sensorial IDS detects it in my reports that it generates, but I want to know if it prevents that the complete mail arrives yet and the virus file; or it removes single the virus file?

Thanks and Greetings!

Labels:
0 Helpful
3 Replies 3

a.arndt
Level 3
Level 3

‎02-18-2005 06:29 AM

I’m going to assume from your post that your are discussing Cisco IDS SigID 3136 (Netsky Virus Activity).

Now, to paraphrase your question, you want to know what action is taken against these attachments when they are detected by the IDS?

The short answer is none. Using Cisco IDS 4.1, the default settings for SigID 3136 are basically to “alarm and notify.” In effect, nothing happens to either the e-mail message or the attachment. The message containing the attachment will be delivered to the target SMTP server as per normal.

Now if you did want something done with the attachment, Cisco IDS (in it’s current version anyway) is not the tool to do this. Even if you were to configure the “active response” options for SigID 3136 (TCP reset or IP Block), all it would do is either reset the connection between the two IP addresses, or block the source IP via an appropriately configured Cisco router or PIX firewall.

So, Cisco IDS could block the e-mail by resetting the TCP connection between the source IP and the target SMTP server (though this is not guaranteed), or it can block the source IP via an appropriately configured router or PIX firewall. In both cases, the entire e-mail will be affected. However, the default behaviour for SigID 3136 will have no impact on either the e-mail transfer or the infected attachment.

I hope this helps,

Alex Arndt

0 Helpful

elioalvarado
Level 1
Level 1
In response to a.arndt

‎02-18-2005 03:21 PM

Thanks for your help ! it is clear !

Greetings !!

0 Helpful

darin.marais
Level 4
Level 4
In response to elioalvarado

‎02-18-2005 04:08 PM

I know that you have already indicated that Alex’s answer is "clear" but i have some additional information to offer.

I tried to seach and find this passed post on the IDS forum so that I could refer you to it but couldn’t for some reason. The post was entitled “MyDoom Virus and Blocking” and covered the subject of blocking with regards to a well known email virus and would have been good reading if I could have found it however the best section of the post was from mcerha of Cisco Systems Inc and read as follows:

Jan 28, 2004, 9:04am PST

Blocking viruses with your firewall is a bad idea in general. First, it can result in legitimate email getting blocked if you block all traffic from the source. Also, SMTP servers are very dilligent about trying to deliver mail. They will periodically retry sending an email until it gets through. So, you might remove a block only to have it get through again later. Your assumption about the initial virus getting through is also most likely correct. Using TCP resets suffers from the same problems. The best defense against these types of threats is to update and use anti-virus software on your incoming and outgoing email gateways. The signatures we provide for these types of signatures are really best utilized to detect hosts that are already infected with the virus.

The post received a Rating: 5.0 (1 vote)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card