Filtration with 2 dimensional Pair of values watch list
I Have a collelated Alert about critical connections with Firewall as an event source.
I want to make exceptions with pair of values for example
(IP1 with Port1) No alert
(IP2 with Port2) No Alert
(IP3 with Port3) Alert
So i wat to put those pair values (IP1,Port1) and (IP2,Port2) in watch list - or if there another way - and filter my allert about them
Is there any way to make that
I would suggest creating two statements; let's call them S1 and S2 and build your filters as follow:
S1: Alert if IP IS NOT IP1 AND Port IS NOT Port1
S2: Alert if IP IS NOT IP2 AND Port IS NOT Port2
Thank u ahmed but the problem that i wanted to make it a dinamic list to put a new exception record every now and then and it applied directly.
I dont want to make new statment every day as exception
The current implementation of watchlists does not support value pairs.
How many ports do you want to monitor? You could write a statement for each port and then have a watchlist of IPs that apply to each statement. Something like this:
Statement One Port IN 25 AND Source Address NOT IN Watchlist IPs Allowed Port 25
Statement Two Port IN 80 AND Source Address NOT IN Watchlist IPs allowed Port 80
Will this work for you?
Well, I don't think you can put all your IP addresses and ports in the same watchlist and filter on its values, the alerter will not trigger alarms as you expect it to do. You will need to put every pair in a seperate watchlist and then create a statement for it; which is going to be more work than my previous suggestion.