cancel
Showing results for 
Search instead for 
Did you mean: 
dindsy
Level 7
Report Inappropriate Content
Message 1 of 6

Filter advice

hi ,

I need to create a filter to block ARP: MAC address Flip-Flop. but I want to do it for only a small number of IP's.

I know the source creating the alert and I can't stop that so I want to filter these messages.

I am not good with filters and have created a few basic one's where there is an obvious content String I can filter on but this seems a bit more specific.

any advice would be good.

thanks

5 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 6

Re: Filter advice

Put all Datasources with this Log you want to filter in one policy group. After that write a Filter for this content string and enable this filter rule only for this policy group.

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: Filter advice

I love this question; it shows someone knows the difference between 'SIEM' and 'log management'. Send anything you want to the ELM/ELS, but only parse and insert useful events, directly relevant or as background to the use cases, into the ESM. And as you already know, filters are the best way to approach this. Once you're comfortable with filters you'll wonder how you ever got along without them. There are two excellent KB's that discuss filters here and here.

Add filters as needed and redirect logs based upon a content string (literally any text) or regex to the ESM, ELM, both or neither. Low quality logs that still need to be stored can be sent to the ELM only. Temporal metrics that don't make sense to archive can  be sent to the ESM only and low quality logs that don't need to be stored can be dropped.

dindsy
Level 7
Report Inappropriate Content
Message 4 of 6

Re: Filter advice

thanks for the response. I have read the articles on Filters and I more or less understand the PCRE expressions. But I where I get lost is figuring out what to create my Regex for. that is, what am I trying to filter on. how do I work that part out. can I look for the signature ID or do I need something else?

abanaru
Level 11
Report Inappropriate Content
Message 5 of 6

Re: Filter advice

Well, you said you wanted to block some "ARP: MAC address Flip-Flop" messages.

Look at how your raw message looks like and write your regex or simply put a content string if that is possible.

You don't need to look for Signature ID because filtering occurs before field mapping and signature id is a field.

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Filter advice

As Abanaru says, you just need to look at your raw message.

If the log you want to drop literally says "ARP: MAC address Flip-Flop" in the message, you can paste that directly into Content Strings and it will match.

You wouldn't need a regular expression unless you wanted to so something like drop all packets with MAC addresses (you don't want to do this) and wrote a regex like: ^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community