- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Host scanning multiple subnets...
Logically seems easy but I can't figure out how to create it in enVision with a correlated rule..
Subnets are divided up here: 172.21.x.x, 172.23.x.x, 172.18.x.x, 172.29.x.x, 172.19.x.x, etc.
I am looking to find someone from any source address that has done a port scan on more than one subnet...
For example: I scanned 172.21.x.x and then scanned 172.19.x.x... it should fire... if I scanned 172.21.x.x followed by another in 172.21.x.x it shouldn't...
In our old system, this was a 3 page long rule that had every this-followed-by-that comparison... is there a more condensed, easier way to write this in enVision?
If an address scans one of these ranges, followed by a different one of the ranges...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi,
This can be configured in the "add filter" in a rule statement, You can select destination address as the variable and match it with a regex like ^172.21 in the first statement , and in the second statement as ^172.22 and so on ..
You can also create separate circuits instead of separate statements if you want to see all the events in the alert that matched the condition in the rule
