OK so here my problem. I have some rules that I have created that are matching against certain criteria. Below is an example of such a rule.
service = 80 && alert = 'web_susp_act' && (risk.info != 'http direct to ip request','direct to ip http request' && risk.suspicious != 'http direct to ip request','direct to ip http request')
I want this rule to ignore anything from my internal domain so 'NTRS.com'
I tried adding the following to the end of this rule:
...http request' && alias.host !ends NTRS.com)
...http request' && alias.host !contains NTRS.com)
...http request' && alias.host regex (.+(?<!ntrs)\.com))
Can you tell me how I can accomplish this task?
The reason you are not seeing your rules accomplish anything is because the !ends and !contains do not work. What I would do is put at the top of the app rules a rule.
alias.host ends 'NTRS.com'
alert on alert
Because the rules process from top down you should be able to use this rule in a rule below it, I could be wrong. But then you would just need to add ...http request') && alert != 'internal_domain'.
Let me know if this works.
View solution in original post
Determining directionality is actually pretty easy with NetWitness/SA.
To look at only traffic going outbound, make a rule that includes && org.dst exists
This will eliminate all internal traffic from RFC 1918 addresses. But if you have a publicly routable net range, the rule is the same except you want org.dst exists && org.dst !="your-org"
And you seem to basically want to ignore all internal direct to IP connections.
The best and simplest rule would be to create an alert on service=80 && alias.host !exists && org.dst exists && org.dst !="your_org"
Name the rule Outbound Direct to IP and write your other rules based off of this condition.
BTW, I'd be wary about disclosing identifying information such as your domain name above. You can edit that back out if you wish.