cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cristianradu
Level 8
Report Inappropriate Content
Message 11 of 17
‎05-17-2019 07:38 AM

Re: Bug in Correlation Engine with variables ???

Jump to solution
I have removed the bottom filter. I have now only the top one. The host "DC10DNSEff11" is in the watchlist "PS_DNS-EffIP_hosts".
0 Kudos
Reply
brenta
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 12 of 17
‎05-17-2019 07:54 AM

Re: Bug in Correlation Engine with variables ???

Jump to solution

Can you verify the HOME_NET variable is not overridden inside the policy tree, and set to inherit your values down to the correlation engine?

Brent
0 Kudos
Reply
cristianradu
Level 8
Report Inappropriate Content
Message 13 of 17
‎05-20-2019 12:12 AM

Re: Bug in Correlation Engine with variables ???

Jump to solution

How can I verify that the HOME_NET variable is not overridden? It was not set to inherit.

inherit.PNG

0 Kudos
Reply
lpinheir
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 14 of 17
‎05-20-2019 08:25 PM

Re: Bug in Correlation Engine with variables ???

Jump to solution

If you already have configurated your Local Network setting, so I recommend you to use the context instead of the variables as EXTERNAL OR INTERNAL_NET.

Examples of Context:
Context (In) [Internal to Internal]
Context (In) [Internal to External]
Context (In) [External to Internal]
Context (In) [External to External]

Answering your second question related to inherit, I believe that you are seeing the rule at Correlation Engine Level. If you want to change the overall setting, you should change this value at the root policy. (Local ESM/Physical Display)

But as I said, try to work with context instead, this setting will respect your Local Network setting.

Lucas

0 Kudos
Reply
cristianradu
Level 8
Report Inappropriate Content
Message 15 of 17
‎05-20-2019 12:28 AM

Re: Bug in Correlation Engine with variables ???

Jump to solution
I configured the local network under ESM Management, local network. When I configure the HOME_NET variable and select Inherit, it is overwritten by the inherited value and goes to "any". How can I change that?
0 Kudos
Reply
lpinheir
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 16 of 17
‎05-20-2019 08:27 PM

Re: Bug in Correlation Engine with variables ???

Jump to solution
If you already have configurated your Local Network setting, so I recommend you to use the context instead of the variables as EXTERNAL OR INTERNAL_NET.

Examples of Context:
Context (In) [Internal to Internal]
Context (In) [Internal to External]
Context (In) [External to Internal]
Context (In) [External to External]

Answering your second question related to inherit, I believe that you are seeing the rule at Correlation Engine Level. If you want to change the overall setting, you should change this value at the root policy. (Local ESM/Physical Display)

But as I said, try to work with context instead, this setting will respect your Local Network setting.

Lucas
Reply
lpinheir
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 17 of 17
‎05-17-2019 09:53 AM

Re: Bug in Correlation Engine with variables ???

Jump to solution

Just in case, have you configurated the Local Network Settings?

You can configure "home net" in 2 places, that is the variable in the policy editor and the Homenet called Local Network that is a "setting".

Any IP addresses into Local Networks is considered "internal".   This is used for many correlation rules context. 

To configure Local Network:

  • Open the System Properties
  • Select Network Settings and click Local Network -> Setup
  • Enter the IP ranges that define your internal network.  Local Network is defined as a comma-separated list of IP addresses and/or IP ranges.  Click OK to save.

Lucas

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC