Report against long Watchlist
Found a post a couple of days ago in the Intelligence community describing how to create an alert based on a 'dynamic' Watchlist of botnet Command & Control IP addresses.
I created the watchlist and decided to run a report at first rather than create an alert to have alook at it.
It seems that only a portion of the Watchlist is evaluated, i.e.when adding a test IP at the top of the list, it seems to work fine but when shifting it to the bottom (line 3788), the report doesn't return any data.
Does anyone know if there are limitation using watchlists in a report ? size, length ?
If so, has this been addressed in Version 4 ?
Any suggestions ?
I also opened a case with NIC Support and I've been told that watchlists in enVision 3.7 can only have 10 entries.
The support engineer did mention that it should be unlimited in enVision 4.0 though ....
Support assisted me in finding the solution.
This is relevent only in 4.0 I suppose, but something to keep in mind in both environments.
When building a report, on the last screen, one of the options is to "Enable preprocess filters". According to support, this basicly converts paramiters to REGEX. normally not an issue, but when your watchlist contains IP addresses, this is obviously an issue. The fix for me was to uncheck that box.
Also, I asked why my alerts weren't fireing with the same watchlist. It seems that alerts "REGEX" your watchlists. so the fix for those would be to escape the periods in the watchlist. essentially looking like this: 10\.10\.10\.10
(I have yet to test this)
Tried to convert it to a simple alert but it doesn't seem to fire(even when using the escape character '\', 10\.10\.10\.10)
Would be interested to hear from your testing on v4.