cancel
Showing results for 
Search instead for 
Did you mean: 

Bug in Correlation Engine with variables ???

Jump to solution

I have a correlation rule that seems not to be working correctly. I am looking for IPs not in External_Net, but the rule is triggering the opposite. If I filter for events with source IP in External_Net it shows the rules also. Where is the bug? The External_Net is defined as !Home_Net. Where Home_Net=10.64.0.0/16. I have seen that the rules are not triggering correctly when variables are being used like this one. Is there a workaround? Is there a known bug  or I am doing something wrong?

Bug_correlation engine.PNG

1 Solution

Accepted Solutions
McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 16 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution
If you already have configurated your Local Network setting, so I recommend you to use the context instead of the variables as EXTERNAL OR INTERNAL_NET.

Examples of Context:
Context (In) [Internal to Internal]
Context (In) [Internal to External]
Context (In) [External to Internal]
Context (In) [External to External]

Answering your second question related to inherit, I believe that you are seeing the rule at Correlation Engine Level. If you want to change the overall setting, you should change this value at the root policy. (Local ESM/Physical Display)

But as I said, try to work with context instead, this setting will respect your Local Network setting.

Lucas

View solution in original post

16 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

Hi, 

before blaming the Correlation Engine. i would check the value you entered in the 

External_Net - Variable.

 

Best Regards👍👍👍

David.

Re: Bug in Correlation Engine with variables ???

Jump to solution

The External_Net is defined as !Home_Net.

McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 4 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

Could you send to us a Screenshot from your Correlation Rule?

Chers

Lucas

Highlighted

Re: Bug in Correlation Engine with variables ???

Jump to solution

correlation_rule.PNG

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

Is it possible that this matched the other condition?

OR and AND, operators are not exactly the same as you would think from a programming language. They are more commonly used for correlation (where you are looking for more than one event). Think of them as one event needing to match one of the conditions inside the OR. Conversely, if that OR was changed to an AND, you must have at minimum 2 packets for this rule to fire, and since there is no grouping, it would never fire.

Brent

Re: Bug in Correlation Engine with variables ???

Jump to solution
It can be seen in the first picture that it matched the first condition. I know that the logic for AND and OR is not the same as in programming. But even though the rule matches the first criteria within the OR gate, it needs then to match all the criteria specified there. I have the same issue with other rules, too. Even if in the rule I say NOT IN a watchlist, it still triggers for the events in the watchlist. It doesn't make sense.
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 8 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

Ok, if we are only concerned about the first condition in the or, can you remove the second one, do a policy rollout and give us a screenshot of the correlated events? 

This way we are eliminating any other side effects.

And technically, you could make 2 different correlation rules, one for each condition, this way you know what one triggered the events. The net result would be the same, except you have a better idea as to what is going on. Since watchlists and variables can change over time, it might not always be obvious at a later date what rule items matched.

Brent

Re: Bug in Correlation Engine with variables ???

Jump to solution

I have modified the rule as suggested and it still doesn't work.

I have filtered source IP by External_Net. It shows only the IPs from External_Net. But the rule should filter out the IPs from External_Net. It is contradictory! It makes no sense.

Still not working!!!

new_correlation_rule.PNGCapture.PNG

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 10 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

I took a closer look at your screenshot.

I can't see what correlated event you have selected, but I see them all with empty "Source User." To me this indicated that your bottom filter will always match, assuming "DC10DNSEff11" is in the watchlist "PS_DNS-EffIP_hosts." What version are you running? I know there was an issue with correlation details at some point in time.

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community