Morning everyone. I have a question for the crew:
We are currently fighting a CryptoMining malware attack on one of our servers. In the process of fighting it and adding rules to the firewall to block IPs/ports, I noticed that on the Threat Protection page there is a series of Whitelisted Rules under Intrusion Detection and Prevention. I did not configure this MX, but I am responsible for it now due to a former co-worker's termination.
I am trying to determine why these rules are whitelisted and what that means in terms of analyzing traffic. To me, when an item is whitelisted, that generally means it is allowed to come through, but based on the names of these rules, it appears that the traffic should be blocked instead. Here are some rule names:
- Exploit-Kit Magnitude exploit kit embedded redirection attempt
- Server-Webapp DrayTek Multiple command injection attempt
- Server-Webapp Zeroshell Linux Router command injection attempt
Will traffic related to these whitelisted rules bypass security, or do these rules serve some other purpose? The documentation I read didn't really provide much of an explanation of behavior.
Should I leave this rules, or delete them? My concern is they were added by two former employees who are no longer with the company.
Thanks for any help you can offer.
Twitch