This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2010-03-16 04:04 AM

Report against long Watchlist

 

Hi There,

 

Found a post a couple of days ago in the Intelligence community describing how to create an alert based on a 'dynamic' Watchlist of botnet Command & Control IP addresses.

 

http://rsaenvision.lithium.com/t5/Tools-and-Scripts/Searching-for-Botnets/m-p/3564/highlight/true#M8...

 

I created the watchlist and decided to run a report at first rather than create an alert to have alook at it.

It seems that only a portion of the Watchlist is evaluated, i.e.when adding a test IP at the top of the list, it seems to work fine but when shifting it to the bottom (line 3788), the report doesn't return any data.

 

Does anyone know if there are limitation using watchlists in a report ? size, length ?

If so, has this been addressed in Version 4 ?

 

Any suggestions ?

 

Cheers,

 

Cedric.

Preview file
48 KB
0 Likes
Reply
5 Replies
DAVEFOURNIER
Beginner
Beginner
‎2010-03-17 03:13 PM

I am in the same boat.  I have an open case with support, and it has be escalated to engineering.

 

My list was about 350, and it was IP addresses.

 

I am on 4.0 SP3

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to DAVEFOURNIER
‎2010-03-18 01:44 AM

 

I also opened a case with NIC Support and I've been told that watchlists in enVision 3.7 can only have 10 entries.

The support engineer did mention that it should be unlimited in enVision 4.0 though ....

 

 

0 Likes
Reply
DAVEFOURNIER
Beginner
Beginner
In response to RSAAdmin
‎2010-03-19 09:49 AM

Support assisted me in finding the solution.

 

This is relevent only in 4.0 I suppose, but something to keep in mind in both environments.

 

When building a report, on the last screen, one of the options is to "Enable preprocess filters". According to support, this basicly converts paramiters to REGEX.  normally not an issue, but when your watchlist contains IP addresses, this is obviously an issue.  The fix for me was to uncheck that box.

 

Also, I asked why my alerts weren't fireing with the same watchlist.  It seems that alerts "REGEX" your watchlists.  so the fix for those would be to escape the periods in the watchlist.  essentially looking like this: 10\.10\.10\.10

 

 (I have yet to test this)

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to DAVEFOURNIER
‎2010-03-22 03:55 AM

Champion ... Unticking that box worked for me too ...

Not sure what the support engineer was on about ....

Thanks for your input.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-03-22 11:31 PM

Tried to convert it to a simple alert but it doesn't seem to fire(even when using the escape character '\', 10\.10\.10\.10)

Would be interested to hear from your testing on v4.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.