This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Up a creek without some Regex!

Go to solution
PhilFinn
Beginner
Beginner

‎2014-01-14 12:12 PM


OK so here  my problem.  I have some rules that I have created that are matching against certain criteria.  Below is an example of such a rule.

 

service = 80 && alert = 'web_susp_act' && (risk.info != 'http direct to ip request','direct to ip http request' && risk.suspicious != 'http direct to ip request','direct to ip http request')

 

I want this rule to ignore anything from my internal domain so 'NTRS.com'

 

I tried adding the following to the end of this rule:

...http request' && alias.host !ends NTRS.com)

...http request' && alias.host !contains NTRS.com)

...http request' && alias.host regex (.+(?<!ntrs)\.com))

 

Can you tell me how I can accomplish this task?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
SeanKoniarz
Beginner
Beginner

‎2014-01-14 01:23 PM

The reason you are not seeing your rules accomplish anything is because the !ends and !contains do not work.  What I would do is put at the top of the app rules a rule.

 

internal_domain

alias.host ends 'NTRS.com'

alert on alert

 

Because the rules process from top down you should be able to use this rule in a rule below it, I could be wrong.  But then you would just need to add ...http request') && alert != 'internal_domain'.

 

Let me know if this works. 

View solution in original post

0 Likes
2 REPLIES 2

Go to solution
SeanKoniarz
Beginner
Beginner

‎2014-01-14 01:23 PM

The reason you are not seeing your rules accomplish anything is because the !ends and !contains do not work.  What I would do is put at the top of the app rules a rule.

 

internal_domain

alias.host ends 'NTRS.com'

alert on alert

 

Because the rules process from top down you should be able to use this rule in a rule below it, I could be wrong.  But then you would just need to add ...http request') && alert != 'internal_domain'.

 

Let me know if this works. 

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to SeanKoniarz

‎2014-01-14 06:24 PM

Determining directionality is actually pretty easy with NetWitness/SA.

 

To look at only traffic going outbound, make a rule that includes && org.dst exists

 

This will eliminate all internal traffic from RFC 1918 addresses.  But if you have a publicly routable net range, the rule is the same except you want org.dst exists && org.dst !="your-org"

 

And you seem to basically want to ignore all internal direct to IP connections.

 

The best and simplest rule would be to create an alert on service=80 && alias.host !exists && org.dst exists && org.dst !="your_org"

Name the rule Outbound Direct to IP and write your other rules based off of this condition.

 

BTW, I'd be wary about disclosing identifying information such as your domain name above.  You can edit that back out if you wish.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.