This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-10-03 06:30 AM

How to filter a network of IPs

Hi, I have created a correlation rule where I would like to create alerts when usernames from outside a specific network login to a F5 Firepass device. I am performing multithreading based on the username. The problem that I am facing is that I cannot add a network of IPs in the filter section of the correlation statement. I have tried with one IP and it works but I tried putting 10.24.12.20/24 but this didn;t work. How can I add a whole network to be excluded from the correlation rule? Thanks, Eleni
0 Likes
Reply
8 Replies
RSAAdmin
Beginner
Beginner
‎2011-10-03 08:31 AM

I used regular expression in a watchlist and it seems that is working now. I will perform more tests on that. Is that a valid approach?? Thanks, Eleni
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-10-12 10:29 AM

You will need to do it as a regular expression (or set of regular expressions) as you already indicated. That is a perfectly valid way to approach the problem!
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-11-08 10:48 AM

A neat trick is that you can use the "Between" operator. So this can be used to filter out a range of IP addresses, i.e. DeviceAddress Between '10.24.12.20' AND '10.24.12.250'
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-11-14 10:39 AM

I am not aware of the BETWEEN operator being supported.  Do you have an example of where this operator will work, i.e. a report or query that uses this operator?

 

Paul

 

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-11-15 03:41 AM

I haven't come across any "Between" operator. I do know though that 1) one can list all the ip address in watchlist and use "Not in Watchlist" 2) Configure a regex pattern and use the same. 3) Configure a "Not in" operator and mention each IP address as a new value (using in the UI) for the same operator.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-11-15 04:56 AM

Hi Paul,

There are two operators I have found that work within enVision that are not listed nor in any pre-made reports. The BETWEEN and !=

These could be used for example to search a specific range of IP Addresses or exclude an IP address:

1) DeviceAddress BETWEEN '192.168.0.0' AND '192.168.255.255'

2) DeviceAddress !='x.x.x.x'

I also believe that the XOR operator works as well - ^
0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2011-11-28 12:29 PM

I have done this with regex. Here is a handy site that will build the regex for you! http://www.analyticsmarket.com/freetools/ipregex
0 Likes
Reply
ScottPause
Beginner
Beginner
In response to RSAAdmin
‎2012-02-24 04:21 PM

Yes.  This site.  We discovered it a few weeks ago for a project.  Handy indeed.  Now to make a local copy of it

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.