This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
JimHarbin
Beginner
Beginner
‎2011-07-14 10:56 AM

Host scanning multiple subnets...

Logically seems easy but I can't figure out how to create it in enVision with a correlated rule..

 

Subnets are divided up here:  172.21.x.x, 172.23.x.x, 172.18.x.x, 172.29.x.x, 172.19.x.x, etc.

 

I am looking to find someone from any source address that has done a port scan on more than one subnet... 

 

For example:  I scanned 172.21.x.x and then scanned 172.19.x.x... it should fire... if I scanned 172.21.x.x followed by another in 172.21.x.x it shouldn't...

 

In our old system, this was a 3 page long rule that had every this-followed-by-that comparison... is there a more condensed, easier way to write this in enVision?

 

If an address scans one of these ranges, followed by a different one of the ranges...

 

0 Likes
Reply
1 Reply
RSAAdmin
Beginner
Beginner
‎2011-08-03 04:54 AM

Hi,

 

This can be configured in the "add filter" in a rule statement, You can select destination address as the variable and match it with a regex like ^172.21 in the first statement , and in the second statement as ^172.22 and so on ..

 

You can also create separate circuits instead of separate statements if you want to see all the events in the alert that matched the condition in the rule

Preview file
2 KB
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.