RSA Admin

Report against long Watchlist

Discussion created by RSA Admin Employee on Mar 16, 2010
Latest reply on Mar 22, 2010 by RSA Admin

 

Hi There,

 

Found a post a couple of days ago in the Intelligence community describing how to create an alert based on a 'dynamic' Watchlist of botnet Command & Control IP addresses.

 

http://rsaenvision.lithium.com/t5/Tools-and-Scripts/Searching-for-Botnets/m-p/3564/highlight/true#M85

 

I created the watchlist and decided to run a report at first rather than create an alert to have alook at it.

It seems that only a portion of the Watchlist is evaluated, i.e.when adding a test IP at the top of the list, it seems to work fine but when shifting it to the bottom (line 3788), the report doesn't return any data.

 

Does anyone know if there are limitation using watchlists in a report ? size, length ?

If so, has this been addressed in Version 4 ?

 

Any suggestions ?

 

Cheers,

 

Cedric.

Attachments

Outcomes