cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 11 of 29

Re: Anomaly rule brute force scanning activity

Please see the evidence for rule engine is "enabled"

rule engine.PNG

Re: Anomaly rule brute force scanning activity

"Any source to single destination port 443, with a threshold = 100 events in one minute"

Based on the signature ID that you have you can customize your alarm to fit your needs.

Note:

The results that shows 2000+ events in a minute in your reply is at this time 05/20/2016 04:32:27 (event count = 2708) with Rule message which describe the Signature ID that you specify.

So please customize the time interval correctly to be (05/20/2016 04:31:27 - 04:32:27) at the event distribution dashboard.

From the rule you can create your alarm and customize it to fit your needs.

So you have the choice whether to:

1- Create a correlation rule and based on it you can create an alarm or

2- You can create an alarm based on a rule.

Highlighted
Level 9
Report Inappropriate Content
Message 13 of 29

Re: Anomaly rule brute force scanning activity

bad rule.PNG

I changed it , I' have been working for 1 month on single correlation rule . I know traffic is coming in but events are not properly processed at the pipeline of correlation engine. Its corrupt.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 14 of 29

Re: Anomaly rule brute force scanning activity

Your last screenshot shows a sequence correlation rule, which is completely different from the use-case you described at the start of this thread.

Highlighted
Level 9
Report Inappropriate Content
Message 15 of 29

Re: Anomaly rule brute force scanning activity

So, what stopping me from using component rule,? what it effects it has on logic.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 16 of 29

Re: Anomaly rule brute force scanning activity

I recommend you test the correlation rule depicted in the picture I posted on 19 May, using a threshold of 1 event in 10 minutes.

Highlighted
Level 10
Report Inappropriate Content
Message 17 of 29

Re: Anomaly rule brute force scanning activity

Check your 'Group By' setting, I suspect you may want to group by Destination IP? At present you are looking at brute force from a single source IP and it's quite possible none of your individual sources are getting up to that level. You can also scale the number back to verify that the rule will trigger and once you have confirmed that ramp it up again.

Highlighted
Level 9
Report Inappropriate Content
Message 18 of 29

Re: Anomaly rule brute force scanning activity

I have thousands time but it just won't work:(. I will group it by "destination ip" . Getting up to that level is bizarre since when I put 1 in 10 minutes it still won't match.

Highlighted
Level 10
Report Inappropriate Content
Message 19 of 29

Re: Anomaly rule brute force scanning activity

Your Event list in a previous post shows events aggregated (presumably using the default?) by Source and Destination IP. The values in there are all lower than 100 and I would suspect that your download frequency is greater than 1 minute. So individual source IPs probably aren't getting up to 100 in a minute.

Highlighted
Level 9
Report Inappropriate Content
Message 20 of 29

Re: Anomaly rule brute force scanning activity

     let me explain the context, im using nmap script to do bruteforce on a page, I have seen in streaming view and "default dashboard event distribution" that I'm getting at least 20 min events in a minute. Yes by dynamic aggregation rule it does aggregation on src , dst ip and event name..you saying i turn off aggregation?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community