This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Rock and Rule!

Go to solution
PhilFinn
Beginner
Beginner

‎2014-01-09 09:33 AM


Hey I'm sure this is a easy question.  Can anyone tell me why the && Not section of this rule is not working.

ip.dst=131.253.18.0/24 || ip.dst=199.2.137.0/24 || ip.dst=207.46.90.0/24 || ip.dst=1.1.1.0/24 && (ip.src!=10.10.10.101 || ip.src!=10.10.10.102 || ip.src!=10.10.10.103)

 

And why the heck can't I paste into these dicussions!

 

Phil

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-01-09 11:49 AM

Sorry about not being able to paste.  Looking at your rule, I rarely use the ORing function.  Your rule would work just as well as lists-

 

ip.dst=131.x.x.x/24,199.x.x.x/24,207.x.x.x/24, && ip.src !=10.10.10.101-10.10.10.103

 

This is the same logic, and removes the ORing boolean function.  Let me know if that works better.

View solution in original post

0 Likes
2 REPLIES 2

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-01-09 11:49 AM

Sorry about not being able to paste.  Looking at your rule, I rarely use the ORing function.  Your rule would work just as well as lists-

 

ip.dst=131.x.x.x/24,199.x.x.x/24,207.x.x.x/24, && ip.src !=10.10.10.101-10.10.10.103

 

This is the same logic, and removes the ORing boolean function.  Let me know if that works better.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-01-10 08:05 PM

Fielder's answer works, but I'll speak to the original problem just for informational purposes - it looks like a logic error.

(ip.src!=10.10.10.101 || ip.src!=10.10.10.102 || ip.src!=10.10.10.103)

 

This will actually MATCH (return "true") with a source IP of 10.10.10.101.

 

Since all the terms are OR'd, if any one of them is TRUE then the entire expression evaluates to TRUE.

 

When your source IP is 10.10.10.101, the first comparison evaluates to FALSE (ip.src!=10.10.10.101) as expected, BUT "ip.src!=10.10.10.102" evaluates to TRUE ... since one of the terms is true, and the terms are OR'd, the whole grouping will evaluate to TRUE.

 

I suspect the logic you're really looking for is:

 

     (ip.src!=10.10.10.101 && ip.src!=10.10.10.102 && ip.src!=10.10.10.103)

 

Now all three conditions must be true - the source IP cannot be any of the three IPs - before it will match.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.