I am pretty new to RSA (we have Security Analytics 10.3.1) and am just trying to understand what some of these things mean. Below are some of the application rules that we have that I'm trying to figure out:
attachment count 4-u (what does this mean??)
service != 443 && tcp.dstport = 443 && streams = 2 (what does the streams=2 mean??)
risk.info count 3-u (what does this mean??)
service = '80' && tcp.dstport = l-79,81-u && streams =2 (what does tcp.dstport=l-79,81-u mean??)
Also, there are a number or alert id's that I'm seeing in Investigator that are not in the application rules. Where could these alert id's be coming from? I'm just trying to understand what they mean and if I should be alerting on them. Thanks a bunch for any additional information!