1 2 Previous Next 13 Replies Latest reply on Mar 24, 2016 4:54 PM by rgarrett

    Modify Data Source Rule Normalization

    duffles

      Hello,

       

      I am having issues where events are being parsed however the data source rules are normalizing the events to the wrong normalization which is in turn is messing up the advanced correlation engine rules.

       

      I believe this could be easily fixed if I could simply change the normalizaton ID for the RT_FLOW_SESSION_DENY and RT_FLOW_SESSION_CREATE to Firewall Rule/ACL however the modify button is greyed out when I try to mdoify them.

       

      Can anyone tell me if there is a way to change the normalized ID to Data Source Rules or a work around for this? My biggest issue is that the normilazation for RT_FLOW_SESSION_DENY gets normalized to "Policy" which messes up a lot of correlation rules that have nothing to do with firewall rules.

       

      Any help would be really appreciated as I am going in circles here

       

      Data_Source_Rules.jpg

        • 1. Re: Modify Data Source Rule Normalization
          xded

          Double click on the name of the rule and than click on the camera near Normalization, choose your Normalization and click ok.

          • 2. Re: Modify Data Source Rule Normalization
            yassinezeroual

            Data Source Rules on the Policy Editor are Auto Learned by the Receiver as it processes the information sent to it by data sources that are associated with the Receiver.

            In order to change the normalization, you need to go to the event right click on it and choose show rule, which is the rule responsible for the parsing and normalization, you can edit the rule and change the normalization ID to (Firewall Rule/ACL) if it is a custom rule.

            In case it is a default rule, you need to copy and paste it, disable the default and edit the copied rule and change the normalization ID to (Firewall Rule/ACL).

            After that you need to do Roll out.

            Then delete auto learned "Data source rules" : RT_FLOW_SESSION_DENY and RT_FLOW_SESSION_CREATE

             

            and wait until the McAfee ESM apply the changes.

            • 3. Re: Modify Data Source Rule Normalization
              duffles

              Thanks but as this is not an auto learned rule you cannot modify it regardless if you double click or try to select modify.

              • 4. Re: Modify Data Source Rule Normalization
                duffles

                Unfortunately this is not a custom rule / auto learned rule and it also cannot be copied and pasted.

                • 5. Re: Modify Data Source Rule Normalization
                  yassinezeroual

                  All the rules at the Data source rules are auto learned and you cannot modify them but you can delete them.

                  Please follow this procedure:

                   

                  In order to change the normalization, you need to go to the event right click on it and choose show rule, you will see the rule at the Advanced Syslog Parser in the Policy editor.  Which is the rule responsible for the parsing and normalization, you can edit the rule and change the normalization ID to (Firewall Rule/ACL) if it is a custom rule.

                  In case it is a default rule, you need to copy and paste it, disable the default and edit the copied rule and change the normalization ID to (Firewall Rule/ACL).

                  After that you need to do Roll out.

                  Then delete the two auto learned rule: RT_FLOW_SESSION_DENY and RT_FLOW_SESSION_CREATE in "Data source rules" at the Policy Editor.

                   

                  and wait until the McAfee ESM apply the changes.

                  • 6. Re: Modify Data Source Rule Normalization
                    duffles

                    Thanks for the response however that doesent seem to be correct. As you can see below I have followed the instruction to follow the rule and it takes me to a data source rule which I cannot modify and also cannot be deleted even though it is selected. I have also tried to delete all auto learned rules and this rule still remains.

                     

                    I have also tried coping the existing parser, enabling and disabling the old and it still ends up at this data source rule which I believe is due to data source rules being hit after parser rules.

                     

                    Data_Source_Rules2.jpg

                    • 7. Re: Modify Data Source Rule Normalization
                      xded

                      I tried to modify the auto learned rule and it works for my example rule. But the way from is better.

                      • 8. Re: Modify Data Source Rule Normalization
                        yassinezeroual

                        When you go to the event right click on it and choose show rule, you will see the auto learned rules at the Data Source Rules.

                        But when you want to change the Normalization ID you need to go to the rule at the Advanced Syslog Parser (ASP) and select the Policy of the device by clicking on the red rectangular at the image below :

                        Policies.png

                         

                        then select the Policy of the data source.

                        then select the rule that you want to edit.

                         

                        You can change the rule only at the Advanced Syslog Parser (ASP) and when the rule is a custom rule.

                         

                        All the rules at the Data source rules are auto learned and you cannot modify them but you can delete them.

                        • 9. Re: Modify Data Source Rule Normalization
                          yassinezeroual

                          To be simple to you follow the steps with images:

                          First you need to select the data source that generates this event and click at the red rectangular to go to the Policy Editor: Advanced Syslog Parser

                          To Policy.PNG

                          Policy Editor ASP.PNG

                          To go directly to the rule, please Click on Advanced at the Filter/Tagging pane and  filter by Signature ID

                          Sig ID.JPG to go directly to the rule at the Policy Editor: Advanced Syslog Parser

                          Click Edit to Modify the rule


                          Policy Editor menu.PNGASP rule - General tab.PNG



                          click on the green icon to Modify the Normalization ID to Firewall Rule/ACL

                          Normalized ID.PNG


                          Then Rollout to apply the policy changes to the device


                          The Last step is to delete the Auto learned rule by selecting the event and

                          Show 1.png



                          Show.jpg

                          click Delete Auto Learned Rules: select Delete the selected Auto Learn rule


                          Click Rollout to apply the changes and wait 15 minutes until the McAfee ESM apply the changes.

                           

                          1 2 Previous Next