CRL-00116 Rule Set: BotNet Detection Rule Pack
Does anybody have or use the rule CRL-00116 Rule Set: BotNet Detection Rule Pack? This was released back in April of 09 if I am not mistaken.
However, and after upgrading to Envision 4.0 I do not see such rule any longer. I have applied several content updates since and noticed that this rule does not show up in the correlation_1001 folder.
If you do have the rule can you please share the XML?
What you will need to do is rename your \NIC\backup directory to something else (ie \NIC\oldbackup) and then reapply the latest ESU. What I believe is happening is that the ESU believes you have the most current version of that content which didn't migrate when you upgraded to version 4.0 and therefore doesn't re-install the content.
I have this rule, but its triggering lots of false positive. Had tried adjusting baseline to 1 hour and increase threshold but it do not seem to work.
The activities are primarily smtp and dns and from different IP addresses.
Any advice? Thanks in advance.
You go into the Statements of the Correlation Rule and then to the Threshold part and you can make the changes that you want to the baseline. You can change the percentage and you can change the time there.