AnsweredAssumed Answered

Correlation rules: less than comparison, port sweep

Question asked by RSA Admin Employee on Mar 29, 2014
Latest reply on Mar 31, 2014 by Sean Koniarz

Hi,

 

There are basic correlation capabilities in the system. We tried to create a very simple correlation rule on logconcentrator/decoder and noticed that we can't use less than comparison with the rules. These would be very useful and it's quite odd that you can use "more than" comparison, but not equals or less than with the rules. Why do you want to restrict this? Make people to buy ESA appliances for these simple cases or is there a some sort of technical reason for this?

 

We could use these less than rules to monitor log collection for instance. This can be done with the new monitoring feature on SA server as well, but we didn't get it working and it's too simple. You can use only IP-addresses or device types there. Having multiple concentrators under one SA server could also bring out problems with that feature...  We would like to use our custom meta fields related to those logging devices. Monitoring log collection in general could be achieved very easily with these basic correlation rules, if we could use less than comparison.

 

Another thing that we noticed was that we couldn't put different kind of meta fields to instance key field. So basically, simple correlation rule to detect port sweeps can't be created. Port scanning can be created though.

 

Fixes coming on upcoming releases or should we try something else?

 

-aj

Outcomes