5 Replies Latest reply on May 8, 2017 6:36 AM by andy777

    Filter advice

    dindsy

      hi ,

      I need to create a filter to block ARP: MAC address Flip-Flop. but I want to do it for only a small number of IP's.

      I know the source creating the alert and I can't stop that so I want to filter these messages.

       

      I am not good with filters and have created a few basic one's where there is an obvious content String I can filter on but this seems a bit more specific.

       

      any advice would be good.

       

      thanks

        • 1. Re: Filter advice
          xded

          Put all Datasources with this Log you want to filter in one policy group. After that write a Filter for this content string and enable this filter rule only for this policy group.

          • 2. Re: Filter advice
            andy777

            I love this question; it shows someone knows the difference between 'SIEM' and 'log management'. Send anything you want to the ELM/ELS, but only parse and insert useful events, directly relevant or as background to the use cases, into the ESM. And as you already know, filters are the best way to approach this. Once you're comfortable with filters you'll wonder how you ever got along without them. There are two excellent KB's that discuss filters here and here.

             

            Add filters as needed and redirect logs based upon a content string (literally any text) or regex to the ESM, ELM, both or neither. Low quality logs that still need to be stored can be sent to the ELM only. Temporal metrics that don't make sense to archive can  be sent to the ESM only and low quality logs that don't need to be stored can be dropped.

            • 3. Re: Filter advice
              dindsy

              thanks for the response. I have read the articles on Filters and I more or less understand the PCRE expressions. But I where I get lost is figuring out what to create my Regex for. that is, what am I trying to filter on. how do I work that part out. can I look for the signature ID or do I need something else?

              • 4. Re: Filter advice
                abanaru

                Well, you said you wanted to block some "ARP: MAC address Flip-Flop" messages.

                Look at how your raw message looks like and write your regex or simply put a content string if that is possible.

                 

                You don't need to look for Signature ID because filtering occurs before field mapping and signature id is a field.

                1 of 1 people found this helpful
                • 5. Re: Filter advice
                  andy777

                  As Abanaru says, you just need to look at your raw message.

                   

                  If the log you want to drop literally says "ARP: MAC address Flip-Flop" in the message, you can paste that directly into Content Strings and it will match.

                   

                  You wouldn't need a regular expression unless you wanted to so something like drop all packets with MAC addresses (you don't want to do this) and wrote a regex like: ^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$