Issue with filter conditions in rule finetuning.
We are facing issues while applying filters on rules. Please have a look at below example & suggest how we can apply the filter for same.
Lets say I want to filter below conditions from Alert
1)Source IP A with Signature B
2) Source IP C with Signature D
As per my experience with RSA we can write this filter in 2 Patters :
Source IP = A
Signature = B
Source IP = C
If we go with the order it will not give the desired result since it will work like as follows
Source IP = A AND (Signature = B OR Source IP = C) AND Signature = D
Whereas we want below result
(Source IP = A AND Signature = B) OR (Source IP = C AND Signature =D )
Source IP = A C AND Signature =B D
This will filter the Source IP A & Signature D which we dont want.
Request you to suggest me on this since we are receiving large number of alerts from 2 IP with different signatures which we want to whitelist via ruleset.
This is an issue that I have had to deal with in the past as well. I set up the filter as you did which at the time was told that the way you wrote the filter should work...i.e. this (Source IP = A AND Signature = B) OR (Source IP = C AND Signature =D ) is implied. Did you test the alert to see if it works?
If that doesn't work, another way around this is to break it into 2 statements. It isn't efficient because you have to look at the same data twice, but it should work.