RSA enVision^® Discussions

RSAAdmin · ‎2011-08-11

We are facing issues while applying filters on rules. Please have a look at below example & suggest how we can apply the filter for same.

Lets say I want to filter below conditions from Alert

1)Source IP A with Signature B

2) Source IP C with Signature D

As per my experience with RSA we can write this filter in 2 Patters :

1Patter:

Source IP = A

AND

Signature = B

OR

Source IP = C

AND

Signature =D

If we go with the order it will not give the desired result since it will work like as follows

Source IP = A AND (Signature = B OR Source IP = C) AND Signature = D

Whereas we want below result

(Source IP = A AND Signature = B) OR (Source IP = C AND Signature =D )

2 Pattern:

Source IP = A C AND Signature =B D

This will filter the Source IP A & Signature D which we dont want.

Request you to suggest me on this since we are receiving large number of alerts from 2 IP with different signatures which we want to whitelist via ruleset.

RSAAdmin · ‎2011-08-11

This is an issue that I have had to deal with in the past as well. I set up the filter as you did which at the time was told that the way you wrote the filter should work...i.e. this (Source IP = A AND Signature = B) OR (Source IP = C AND Signature =D ) is implied. Did you test the alert to see if it works?

If that doesn't work, another way around this is to break it into 2 statements. It isn't efficient because you have to look at the same data twice, but it should work.

Pual

RSA enVision® Discussions

Issue with filter conditions in rule finetuning.

RSA enVision^® Discussions