Multicast IP 184.108.40.206 on IP Watchlist for Static Global Intelligence Network (GIN) content seq 2011120601
|Article:TECH176874|||||Created: 2011-12-14|||||Updated: 2011-12-14|||||Article URL http://www.symantec.com/docs/TECH176874|
Incidents are created for the IP Watchlist rule with Multicast address (as a Source or Destination) showing up in events in Symantec Security Information Manager (SSIM) correlation engine.
This is happening with using Static content (LiveUpdate) from Global Intelligence Network. Sequence 2011120601.
This happens from time to time, this is an automated mechanism with some algorithm on the DeepSight side, having to do with X number of clients reporting it in Y timespan.
The IP 220.127.116.11 was reported on the BotNet list a number of times.
The workaround is to use the White list feature in the SSIM lookup table. See "IP Whitelist Table" table.
Article URL http://www.symantec.com/docs/TECH176874