Multicast IP on IP Watchlist for Static Global Intelligence Network (GIN) content seq 2011120601

Article:TECH176874  |  Created: 2011-12-14  |  Updated: 2011-12-14  |  Article URL
Article Type
Technical Solution



Incidents are created for the IP Watchlist rule with Multicast address (as a Source or Destination) showing up in events in Symantec Security Information Manager (SSIM) correlation engine.


This is happening with using Static content (LiveUpdate) from Global Intelligence Network. Sequence 2011120601.


This happens from time to time, this is an automated mechanism with some algorithm on the DeepSight side, having to do with X number of clients reporting it in Y timespan.

The IP was reported on the BotNet list a number of times.

The workaround is to use the White list feature in the SSIM lookup table. See "IP Whitelist Table" table.

Article URL

Terms of use for this information are found in Legal Notices