I am trying to filter some false positive where server is transffering some file to client over VPN and it gets drops. Due to which Sequence number is getting change and clients are querring that source server multiple times.
This cause "footprint" and "Possible Probing by a Single Source IP" to trigger. I have a list of these servers that I want to filter out but want to put some more conditions to this filer.
1> Source IP not in the list of servers I have.(example: A.1.1.1 and B.1.1.1)
2> Destination IP not in VPN range (example: 10.224.X.X and 10.231.X.X)
3> To further filer I want to put a condition of event count to 500.(as for all events its 500) and event subtype as error.
If all these conditions are true then SIEM should not trigger footprint alert.
I have planned to put a "AND" on original rule and then club all the condition as "Not IN" but not sure how to specify range of IP addresses.(condition 2) and how to club more than one condition in a rule.
Any Suggestions are invited.
You can use watchlist to achieve this. First create a watchlist for Source IP and add all the IP's or IP range then create a watchlist for destination IP and add all the IP's or IP range. While creating correlation rule select Not In condition for source IP watchlist, Not In condition for destination IP and Not In condition for event subtype and count and make sure you AND the entire filter condition. Hope this helps. Let me know if you need any more help!
Thanks Vinay. I was thinking if there is any way where we put 10.231.0.0/23 or something like this and entire range gets included but that is not good idea as per security point of view and I dont think its possible in SIEM
First two conditions will be fulfilled by watch list way but the event count option is not present in rule but is there in deviation. (thats strange). Now I have created AND inside the original footprint(by using SET) and put all NOT IN conditions and a deviation on event count of 500. Hope this will serve the purpose.
Any suggestions for improvement ?
You can do it more easy by using an AND condition and modifying the threshold and timewindow for this logical element (e.g. the rule should trigger if the combination of destip and srcip is found more than 500 times in x minutes).