1 Reply Latest reply on Nov 8, 2012 4:35 PM by spetting

    What is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule?

    artek

      Hello,

       

      do you know what exactly is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule? What device type can create events, that will be processed to "Normalization rule IN [P2P Policy]"? What about "Internal IP [Not In] [0.0.0.0]" parameter - is it ready to use or we should change this address to something other?

       

      Best Regards,

      Artur

        • 1. Re: What is needed to hit "Multiple events for Peer-to-Peer on a host" correlation rule?
          spetting

          Artur,

           

          The correlation rule "Multiple events for Peer-to-Peer on a host" is designed to detect multiple peer to peer events from the same IP. The rule will trigger if we see 20 events in a 10 minute window that all meet the following criteria.

           

          1. The event Normalization ID is "P2P Policy". (All device types have the potential of sending us rules that could fall into this Normalization ID. For Example IPS, Firewall, Router, Switches, etc... Our Rules team determines what Normalization ID each rule falls into as they write the parsing rules.)

          2. The event is going from one of your internal network IP's to an IP outside your internal network or the event is going from an external IP to one of your internal IP's. (We determine your internal vs. external network IP address based on the network discovery Homenet variable value. This is located in Asset Manager > Network Discovery > Homenet button.)

          3. The internal IP is not 0.0.0.0 (this prevents false positives when an eventdoes not have an Internal IP.)

           

          If you have a scenario that you think should meet these requirements and the correlation rule is not triggering, please submit a Service request and we will be happy to help you look into the issue.

           

          Thanks,

           

          Steve

           

          McAfee Corporate Online Support (Service Portal): https://mysupport.mcafee.com