cancel
Showing results for 
Search instead for 
Did you mean: 
duffles
Level 7
Report Inappropriate Content
Message 1 of 14

Modify Data Source Rule Normalization

Hello,

I am having issues where events are being parsed however the data source rules are normalizing the events to the wrong normalization which is in turn is messing up the advanced correlation engine rules.

I believe this could be easily fixed if I could simply change the normalizaton ID for the RT_FLOW_SESSION_DENY and RT_FLOW_SESSION_CREATE to Firewall Rule/ACL however the modify button is greyed out when I try to mdoify them.

Can anyone tell me if there is a way to change the normalized ID to Data Source Rules or a work around for this? My biggest issue is that the normilazation for RT_FLOW_SESSION_DENY gets normalized to "Policy" which messes up a lot of correlation rules that have nothing to do with firewall rules.

Any help would be really appreciated as I am going in circles here

Data_Source_Rules.jpg

13 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 14

Re: Modify Data Source Rule Normalization

Double click on the name of the rule and than click on the camera near Normalization, choose your Normalization and click ok.

duffles
Level 7
Report Inappropriate Content
Message 3 of 14

Re: Modify Data Source Rule Normalization

Thanks but as this is not an auto learned rule you cannot modify it regardless if you double click or try to select modify.

Re: Modify Data Source Rule Normalization

Data Source Rules on the Policy Editor are Auto Learned by the Receiver as it processes the information sent to it by data sources that are associated with the Receiver.

In order to change the normalization, you need to go to the event right click on it and choose show rule, which is the rule responsible for the parsing and normalization, you can edit the rule and change the normalization ID to (Firewall Rule/ACL) if it is a custom rule.

In case it is a default rule, you need to copy and paste it, disable the default and edit the copied rule and change the normalization ID to (Firewall Rule/ACL).

After that you need to do Roll out.

Then delete auto learned "Data source rules" : RT_FLOW_SESSION_DENY and RT_FLOW_SESSION_CREATE

and wait until the McAfee ESM apply the changes.

duffles
Level 7
Report Inappropriate Content
Message 5 of 14

Re: Modify Data Source Rule Normalization

Unfortunately this is not a custom rule / auto learned rule and it also cannot be copied and pasted.

Re: Modify Data Source Rule Normalization

All the rules at the Data source rules are auto learned and you cannot modify them but you can delete them.

Please follow this procedure:

In order to change the normalization, you need to go to the event right click on it and choose show rule, you will see the rule at the Advanced Syslog Parser in the Policy editor.  Which is the rule responsible for the parsing and normalization, you can edit the rule and change the normalization ID to (Firewall Rule/ACL) if it is a custom rule.

In case it is a default rule, you need to copy and paste it, disable the default and edit the copied rule and change the normalization ID to (Firewall Rule/ACL).

After that you need to do Roll out.

Then delete the two auto learned rule: RT_FLOW_SESSION_DENY and RT_FLOW_SESSION_CREATE in "Data source rules" at the Policy Editor.

and wait until the McAfee ESM apply the changes.

duffles
Level 7
Report Inappropriate Content
Message 7 of 14

Re: Modify Data Source Rule Normalization

Thanks for the response however that doesent seem to be correct. As you can see below I have followed the instruction to follow the rule and it takes me to a data source rule which I cannot modify and also cannot be deleted even though it is selected. I have also tried to delete all auto learned rules and this rule still remains.

I have also tried coping the existing parser, enabling and disabling the old and it still ends up at this data source rule which I believe is due to data source rules being hit after parser rules.

Data_Source_Rules2.jpg

xded
Level 12
Report Inappropriate Content
Message 8 of 14

Re: Modify Data Source Rule Normalization

I tried to modify the auto learned rule and it works for my example rule. But the way from is better.

Re: Modify Data Source Rule Normalization

When you go to the event right click on it and choose show rule, you will see the auto learned rules at the Data Source Rules.

But when you want to change the Normalization ID you need to go to the rule at the Advanced Syslog Parser (ASP) and select the Policy of the device by clicking on the red rectangular at the image below :

Policies.png

then select the Policy of the data source.

then select the rule that you want to edit.

You can change the rule only at the Advanced Syslog Parser (ASP) and when the rule is a custom rule.

All the rules at the Data source rules are auto learned and you cannot modify them but you can delete them.

Re: Modify Data Source Rule Normalization

To be simple to you follow the steps with images:

First you need to select the data source that generates this event and click at the red rectangular to go to the Policy Editor: Advanced Syslog Parser

To Policy.PNG

Policy Editor ASP.PNG

To go directly to the rule, please Click on Advanced at the Filter/Tagging pane and  filter by Signature ID

Sig ID.JPG to go directly to the rule at the Policy Editor: Advanced Syslog Parser

Click Edit to Modify the rule


Policy Editor menu.PNGASP rule - General tab.PNG



click on the green icon to Modify the Normalization ID to Firewall Rule/ACL

Normalized ID.PNG


Then Rollout to apply the policy changes to the device


The Last step is to delete the Auto learned rule by selecting the event and

Show 1.png



Show.jpg

click Delete Auto Learned Rules: select Delete the selected Auto Learn rule


Click Rollout to apply the changes and wait 15 minutes until the McAfee ESM apply the changes.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community