NetWitness Community

AntonioTeixeira · ‎2018-07-04

Hello!

How I can exclude a subnet in a ESA Rule? Example: ip_src IS NOT "10.0.0.0/8", i try this option and substituting the octets with "x,*,%" and not work, can you help me?

NaushadKasu1 · ‎2018-07-04

Try:

ip_src NOT REGEXP “10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}”

Please put that in notepad first as the quotes in email may be “smart quotes”.

Sent from my iPhone

View solution in original post

NaushadKasu1 · ‎2018-07-04

Try:

ip_src NOT REGEXP “10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}”

Please put that in notepad first as the quotes in email may be “smart quotes”.

Sent from my iPhone

AntonioTeixeira · ‎2018-07-04

Done! Thanks Naushad

EricPartington · ‎2018-07-04

Or take the additional load off the ESA system that comes with REGEX and use apprule to create meta tag that can be excluded if possible downstream. Not sure what your rule logic is but that will help the pre-process the data and give you more tags to include or exclude on.

NaushadKasu1 · ‎2018-07-04

You can try this instead:

NOT matchLike(ip_src, "10.0.0.%")

There is also a matchRegex helper function both examples shown in link below in Example 7:

https://community.rsa.com/docs/DOC-80032

Sent from my iPhone

NetWitness Community

Subnet - ESA Rule