I use some of the preconfigured alarms in McAfee ESM, specifically IPS CHECK NORM EXPLOIT, which seems to work very well. Now, however, a VA service has been started by an external company that performs a scan in a specific time slot. What I would like to do is exclude that IP only in the hours from which the VA is scheduled. I created a correlation rule where I filter TIME OF DAY XX: XX and SOURCE IP (L'ip del VA). I then added the signature ID to the IPS CHECK NORM EXPLOIT alarm. In your opinion could it work? I inserted the filter on the signature with the logical operator AND.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.