This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
FranoisAllais
Beginner
Beginner
‎2012-02-29 09:37 AM

View for virus attacks

Good afternoon,

 

I need to create a view that notices me when a virus is moving on the network.

 

First of all, I created an alert called Virus, it has only one circuit called Virus too that fires when an event in Attack.Malicious Code is raised 10 times per minute.

 

Then, I created a view with this Correlated Rule. But I have this status : Error in view.

 

Is my method good ? Where do you think the mistake is ?

 

Thanks for your answers,

Elwyn.

0 Likes
Reply
6 Replies
RSAAdmin
Beginner
Beginner
‎2012-03-01 01:04 AM

I hope you have configured the device properly on which you want to monitor these events. Are you using device type or device group ? Can you attach the rule xml file here to have a look at it ? Sreejith
0 Likes
Reply
GabrielPython
Beginner
Beginner
In response to RSAAdmin
‎2012-03-01 04:46 AM

Hi,
enVison 4.0 SP4 P5 give such error if you use device group. You have to use the IP address of the device(s).
I have a case open since weeks with the support and i' wainting, waiting, waiting........ for an answert.
Regards
Gabriel
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to GabrielPython
‎2012-03-01 05:16 AM

So if device group is not working then it seems to http communication issue. Did you verify if TLS 1.0 is enabled in IE advanced settings when logged in as NIC_System ? Do you have Task Triage related Output actions ? Are they working for you ?
0 Likes
Reply
GabrielPython
Beginner
Beginner
In response to RSAAdmin
‎2012-03-02 05:14 AM

You can configure the Device group, the View starts and stop with the error in View.
The pi_alert.log reports:
> 11:44:00: thrd(CPS8-AdminModifications) %NIC-4-608025: Alerter,
> Alerter, -, -, -, -, Detail: 0: 9712 view=Wink8-AdminModifications
> error no devices configured.
Reconfigure your CRL with the fixed ip of devices and the view starts correctly.

Regards
0 Likes
Reply
FranoisAllais
Beginner
Beginner
‎2012-03-05 11:46 AM

Thank you for your answers. The problem came from the description of the rule.. There was a special character.. There is no check on this field (is that a bug ?) Anyway, the problem is now solved but is my method good ? Regards, Elwyn.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to FranoisAllais
‎2012-03-12 03:11 PM

I would say that if you want to truely see if the virus is moving on the network you need to either have more circuits or statements. If I understand your logic correctly your alert will fire if it sees malicous activity 10 times in x amount of times no matter the source. If that is the case then if you get 10 messages from the same machine you will get alerted. If you want to see if moving you will have to cache variables to set for the first, second, third devices that you see and then use a filter in each of the next statements to verify that the virus alert is coming from a new machine.
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.