Seeking assistance to build ESA rules for alerting/reporting on traffic
from a list of restrictive countries say Russia, etc that it contents
has executables like .exe, dll, bin, bat, VBS, JS, etc Thanks
Any suggestions or ideas building query to retrieve the following:
ip.srcip.dstcountry.dstcity.dstdomain.dstaction (country.dst = 'Albania'
OR country.dst = 'Armenia' OR country.dst = 'Azerbaijan' OR country.dst
= 'Belarus' OR country.dst = 'Cambodia...
We don't have proxy.It started to work well, but then i download the
pcap, and see the pcap reversed. In other words, NW shows source IP (my
company segment). I download the pcap run in wireshark, and displays my
company as the destination IP.
Many thanks. The query worked well. I ran the query, as expected, we
discover one case. Our team did a dive, and found the actual server is
in Luxenburg. Is there a way, in NW we can retrieve that server residing
on other country.?