4 Replies Latest reply on Feb 9, 2015 10:59 PM by totti10

    Count Context?

    totti10

      Hi all,

       

      There're 2 terms in the Count Context Situation:

           1. Time Window Size:

           2. Alarm Thresh hold:

      Can anyone explain the Time Window Size for me, it confuses me.

      And if i set both variable, what does it mean?

       

      Thanks and Regards!

        • 1. Re: Count Context?
          lnurmi

          Hi,

           

          please have a look at the Admin Guide, specifically section "Configuring Count Contexts" on page 801:

          https://www.stonesoft.com/opencms/export/system/galleries/download/product_docs/ current/McAfee_SMC_Administrators_Guide_…

           

          "Enter the Time Window Size in seconds. All events must occur during this length of time for the Correlation Situation to match."

           

          You need to set both variables, otherwise the situation cannot be saved.

           

          BR,

          Lauri

          • 2. Re: Count Context?
            totti10

            hi Inurmi,

             

            I did read Admin Guide but not clear yet. Assume that i create a Count Situation call: MyCount as below:

            MyCount.PNG

            Time window is 10s

            Alarm Threshold is 5 times.

             

            Does it mean that the Connection_Allowed must happen 5 times in 10s for the Situation MyCount to be match?

             

            Regards!

            • 3. Re: Count Context?
              lnurmi

              >Does it mean that the Connection_Allowed must happen 5 times in 10s for the Situation MyCount to be match?

               

              Yes. And with this configuration the fields in the "Event binding" set must match for each 5 Connection_Allowed logs. "Identical connection" requires that src/dst IPs and ports are all identical in the five connections, this is quite unlikely to happen within ten seconds unless it's some protocol like SIP (Control) that uses always same src/dst ports. Something like "Identical Source and Destination service" would work better if you for example want to count connections between same two IPs to same dst port.

               

              BR,

              Lauri

              • 4. Re: Count Context?
                totti10

                Great answer! Thanks for your help

                 

                Regards!