cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

creating rule for group of IPs

Hi All,

I am trying to filter some false positive where server is transffering some file to client over VPN and it gets drops. Due to which Sequence number is getting change and clients are querring that source server multiple times.

This cause "footprint" and "Possible Probing by a Single Source IP" to trigger. I have a list of these servers that I want to filter out but want to put some more conditions to this filer.

Conditions:

1> Source IP not in the list of servers I have.(example: A.1.1.1 and B.1.1.1)

2> Destination IP not in VPN range (example: 10.224.X.X and 10.231.X.X)

3> To further filer I want to put a condition of event count to 500.(as for all events its 500) and event subtype as error.

If all these conditions are true then SIEM should not trigger footprint alert.

I have planned to put a "AND" on original rule and then club all the condition as "Not IN" but not sure how to specify range of IP addresses.(condition 2) and how to club more than one condition in a rule.

Any Suggestions are invited.

3 Replies
vinaya_k
Level 9
Report Inappropriate Content
Message 2 of 4

Re: creating rule for group of IPs

Hi,

You can use watchlist to achieve this. First create a watchlist for Source IP and add all the IP's or IP range then create a watchlist for destination IP and add all the IP's or IP range. While creating correlation rule select Not In condition for source IP watchlist, Not In condition for destination IP and Not In condition for event subtype and count and make sure you AND the entire filter condition. Hope this helps. Let me know if you need any more help!

Regards,

Vinaya

Re: creating rule for group of IPs

Hi,

Thanks Vinay. I was thinking if there is any way where we put 10.231.0.0/23 or something like this and entire range gets included but that is not good idea as per security point of view and I dont think its possible in SIEM

First two conditions will be fulfilled by watch list way but the event count option is not present in rule but is there in deviation. (thats strange). Now I have created AND inside the original footprint(by using SET) and put all NOT IN conditions and a deviation on event count of 500. Hope this will serve the purpose.

Any suggestions for improvement ?

aquist
Level 8
Report Inappropriate Content
Message 4 of 4

Re: creating rule for group of IPs

You can do it more easy by using an AND condition and modifying the threshold and timewindow for this logical element (e.g. the rule should trigger if the combination of destip and srcip is found more than 500 times in x minutes).

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community