07-10-2018 12:54 AM - edited 03-08-2019 03:37 PM
I am new in Ironport management.
Last 12 hour i am getting the following warning
Potential Directory Harvest Attack detected. See the system mail logs for more information about this attack.
Version: 11.1.0-128
Serial Number: 564DA1C84C7E64303E18-53FE25D3BF80
Timestamp: 10 Jul 2018 13:06:30 +0600
Can you please tell me what i should look in the mail log.
Waiting for a suggestion.
07-10-2018 08:16 AM
07-12-2018 08:27 AM - edited 07-13-2018 09:29 PM
Too much warning message. In every 1 hour i am getting this warning. Hope IronPort isn't compromise. anything else i can do to control this with Ironport.
07-16-2018 09:06 AM
01-26-2020 04:54 AM
The is a way to find out the sender for that attack?
10-28-2022 10:26 AM
Hello, the following article will help you identify the sending host which is triggering the DHAP alert.
The entries that describe the DHAP event reside in the mail logs. Here is an example mail log entry when DHAP occurs:
Tue Oct 18 00:25:35 2005 Warning: LDAP: Dropping connection due to potential Directory
Harvest Attack from host=(192.168.10.1', None), dhap_limit=4, sender_group=SUSPECTLIST
Enter this query into the CLI in order to view the mail logs:
myesa.local> grep "dhap_limit=" mail_logs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide