NetWitness Community

JayWatson · ‎2017-12-20

Can the parameters of ESA Live rules be changed? I ask this because I am trying some of the rules from Live and am noticing a high amount of false positives in certain cases and would like to add parameter conditions to exclude items like proxy IPs, etc. Something as simple as ip.addr != 192.168.6.10. I cannot seem to find a away to add or remove any parameters. Does anyone happen to know if these are able to be tuned?

robertofasciani · ‎2017-12-20

Hello Jay,

I don't know if it is possible to add parameter conditions, but you can show syntax, copy the source and use this source to create ad Advanced EPL rules.

EX:

/*
Description: Alert when network sessions contain 40 unique IP destinations with the same source IP and destination port within 180 seconds indicating a horizontal port scan. The time window, destination port range and number of unique IP destinations are configurable.

Version: 2
*/
module Module_esa000033;

@Name('Module_esa000033_Alert')
@RSAAlert(oneInSeconds=0, identifiers={"ip_src"})

SELECT * FROM
Event (
medium = 1
AND ip_src IS NOT NULL
AND ip_dst IS NOT NULL
AND
(
tcp_dstport in [1:1024]
OR
udp_dstport in [1:1024]
)

AND ip_addr NOT IN ('192.168.6.10')

).std:groupwin(ip_src, tcp_dstport, udp_dstport)
.std:unique(ip_dst)
.win:time_length_batch(180 seconds, 40)
GROUP BY ip_src, tcp_dstport, udp_dstport
HAVING count(ip_dst) = 40
;

JayWatson · ‎2017-12-20

Thanks Roberto - That worked perfectly.

RSA - as a quick note, it would be great if you could simplify tuning of NW by allowing a right-click feature to exclude or include IPs and other objects of interest that have impact on rules. Quick reference: IBM QRadar...

NetWitness Community

ESA Live Rules - Tuning?