Multicast IP 224.0.0.251 on IP Watchlist for Static Global Intelligence Network (GIN) content seq 2011120601

Article:TECH176874  |  Created: 2011-12-14  |  Updated: 2011-12-14  |  Article URL http://www.symantec.com/docs/TECH176874
Article Type
Technical Solution


Subject

Issue



Incidents are created for the IP Watchlist rule with Multicast address (as a Source or Destination) showing up in events in Symantec Security Information Manager (SSIM) correlation engine.


Environment



This is happening with using Static content (LiveUpdate) from Global Intelligence Network. Sequence 2011120601.


Solution



This happens from time to time, this is an automated mechanism with some algorithm on the DeepSight side, having to do with X number of clients reporting it in Y timespan.
 

The IP 224.0.0.251 was reported on the BotNet list a number of times.

The workaround is to use the White list feature in the SSIM lookup table. See "IP Whitelist Table" table.





Article URL http://www.symantec.com/docs/TECH176874


Terms of use for this information are found in Legal Notices