cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Bug in Correlation Engine with variables ???

Jump to solution
I have removed the bottom filter. I have now only the top one. The host "DC10DNSEff11" is in the watchlist "PS_DNS-EffIP_hosts".
brenta Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 12 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

Can you verify the HOME_NET variable is not overridden inside the policy tree, and set to inherit your values down to the correlation engine?

Brent

Re: Bug in Correlation Engine with variables ???

Jump to solution

How can I verify that the HOME_NET variable is not overridden? It was not set to inherit.

inherit.PNG

lpinheir McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 14 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

If you already have configurated your Local Network setting, so I recommend you to use the context instead of the variables as EXTERNAL OR INTERNAL_NET.

Examples of Context:
Context (In) [Internal to Internal]
Context (In) [Internal to External]
Context (In) [External to Internal]
Context (In) [External to External]

Answering your second question related to inherit, I believe that you are seeing the rule at Correlation Engine Level. If you want to change the overall setting, you should change this value at the root policy. (Local ESM/Physical Display)

But as I said, try to work with context instead, this setting will respect your Local Network setting.

Lucas

Re: Bug in Correlation Engine with variables ???

Jump to solution
I configured the local network under ESM Management, local network. When I configure the HOME_NET variable and select Inherit, it is overwritten by the inherited value and goes to "any". How can I change that?
lpinheir McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 16 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution
If you already have configurated your Local Network setting, so I recommend you to use the context instead of the variables as EXTERNAL OR INTERNAL_NET.

Examples of Context:
Context (In) [Internal to Internal]
Context (In) [Internal to External]
Context (In) [External to Internal]
Context (In) [External to External]

Answering your second question related to inherit, I believe that you are seeing the rule at Correlation Engine Level. If you want to change the overall setting, you should change this value at the root policy. (Local ESM/Physical Display)

But as I said, try to work with context instead, this setting will respect your Local Network setting.

Lucas

View solution in original post

lpinheir McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 17 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

Just in case, have you configurated the Local Network Settings?

You can configure "home net" in 2 places, that is the variable in the policy editor and the Homenet called Local Network that is a "setting".

Any IP addresses into Local Networks is considered "internal".   This is used for many correlation rules context. 

To configure Local Network:

  • Open the System Properties
  • Select Network Settings and click Local Network -> Setup
  • Enter the IP ranges that define your internal network.  Local Network is defined as a comma-separated list of IP addresses and/or IP ranges.  Click OK to save.

Lucas

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community