This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Identifying Msg_IDs description in ESA Alerts

WardellMotley1
Beginner
Beginner

‎2016-06-14 11:32 AM

Hi everyone!

 

We are currently working on some tuning in ESA alerts and came across some MSG_ids  that we cannot identify

The two alerts are listed below with associated message IDs that we need descriptions for

 

- Multiple Logs from MsgID Set with Same SourceIP DestinationIP

Msg_id in the syntax of the rule are ('00490' , ' 00490:08',' 00490:21' , '00004:16', ' 00490:01', '00490:07' , '00490:08' , '106001','106001:01','106002'

 

 

-Multiple Unique Logs from MsgID Set with Same Source and Destination IP

Msg_id in the syntax of the rule are ('00490', '00490:06','00490:08','00490:21')

0 Likes
4 REPLIES 4

SoumyajitDhara
Beginner
Beginner

‎2016-06-15 04:42 AM

Hi,

 

For which device.type you got this information ?

0 Likes

WardellMotley1
Beginner
Beginner
In response to SoumyajitDhara

‎2016-06-15 09:05 AM

These MsgIDs are actually built into an RSA rule below are the syntax. We are trying to find out the description of the MsgID within the syntax

 

@Name('Module_esa000071_Alert')

@Description('Multiple Logs from MsgID Set with Same SourceIP and DestinationIP')

@RSAAlert(oneInSeconds=0, identifiers={"ip_src, ip_dst"})

 

 

SELECT * FROM

  Event(

  ip_src IS NOT NULL

  AND

  ip_dst IS NOT NULL

  AND

  msg_id IN ('00490' , '00490:08' , '00490:21' , '00004:16' , '00490:01' , '00490:07' , '00490:08' , '106001' , '106001:01' , '106002')

  ).std:groupwin(ip_src, ip_dst).win:time_length_batch(300 seconds, 10) GROUP BY ip_src, ip_dst HAVING COUNT(*) = 10;

 

 

 

 

Description: Multiple unique log events from group of message IDs (each log has to have a unique message ID among the specified set of IDs) with same source IP and destination IP that take place within given time window. Number of log events, list of message IDs to be monitored, whitelist of source and destination IPs and time window are configurable. The default number of log events is 3 and the time window is 300 seconds (5 minutes).

 

 

Version: 2

*/

 

 

module Module_esa000072;

 

 

 

 

 

 

@Name('Module_esa000072_Alert')

 

 

@RSAAlert(oneInSeconds=0, identifiers={"ip_src, ip_dst"})

 

 

SELECT * FROM

 

 

  Event(

  medium = 32

  AND

  ip_src IS NOT NULL

  AND

  ip_src NOT IN ('1.1.1.1' , '2.2.2.2')

  AND

  ip_dst IS NOT NULL

  AND

  ip_dst NOT IN ('1.1.1.1' , '2.2.2.2')

  AND

  msg_id IN ('00490' , '00490:06' , '00490:08' , '00490:21')

  ).std:groupwin(ip_src, ip_dst).win:time_length_batch(300 seconds, 3).std:unique(msg_id) GROUP BY ip_src, ip_dst HAVING COUNT(*) = 3;

0 Likes

SoumyajitDhara
Beginner
Beginner
In response to WardellMotley1

‎2016-06-16 01:52 AM

It is hard to identify device.type by looking on msg_id, until someone really remember these like windows reference_id.

 

My suggestion : Copy all the msg_id from this rules and test SA Investigate > Navigate section  and under Query put it as per below.

msg.id = '00490','00490:06','00490:08','00490:21'

msg.id = '00490','00490:08','00490:21','00004:16','00490:01','00490:07','00490:08','106001','106001:01','106002'

 

You will definitely get some result by selecting Log Concentrator or Broker (if you have in your environment) as a service during Investigation Page.

SalSanshez
Beginner
Beginner

‎2016-09-25 01:13 AM

You could create a report for device.type where msg.id = 00490','00490:08','00490:21','00004:16','00490:01','00490:07','00490:08','106001','106001:01','106002'

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.