2017-12-20 06:52 AM
Can the parameters of ESA Live rules be changed? I ask this because I am trying some of the rules from Live and am noticing a high amount of false positives in certain cases and would like to add parameter conditions to exclude items like proxy IPs, etc. Something as simple as ip.addr != 192.168.6.10. I cannot seem to find a away to add or remove any parameters. Does anyone happen to know if these are able to be tuned?
2017-12-20 09:04 AM
Hello Jay,
I don't know if it is possible to add parameter conditions, but you can show syntax, copy the source and use this source to create ad Advanced EPL rules.
EX:
/*
Description: Alert when network sessions contain 40 unique IP destinations with the same source IP and destination port within 180 seconds indicating a horizontal port scan. The time window, destination port range and number of unique IP destinations are configurable.
Version: 2
*/
module Module_esa000033;
@Name('Module_esa000033_Alert')
@RSAAlert(oneInSeconds=0, identifiers={"ip_src"})
SELECT * FROM
Event (
medium = 1
AND ip_src IS NOT NULL
AND ip_dst IS NOT NULL
AND
(
tcp_dstport in [1:1024]
OR
udp_dstport in [1:1024]
)
AND ip_addr NOT IN ('192.168.6.10')
).std:groupwin(ip_src, tcp_dstport, udp_dstport)
.std:unique(ip_dst)
.win:time_length_batch(180 seconds, 40)
GROUP BY ip_src, tcp_dstport, udp_dstport
HAVING count(ip_dst) = 40
;
2017-12-20 02:05 PM
Thanks Roberto - That worked perfectly.
RSA - as a quick note, it would be great if you could simplify tuning of NW by allowing a right-click feature to exclude or include IPs and other objects of interest that have impact on rules. Quick reference: IBM QRadar...