Jim Harbin

Host scanning multiple subnets...

Discussion created by Jim Harbin on Jul 14, 2011
Latest reply on Aug 3, 2011 by RSA Admin

Logically seems easy but I can't figure out how to create it in enVision with a correlated rule..

 

Subnets are divided up here:  172.21.x.x, 172.23.x.x, 172.18.x.x, 172.29.x.x, 172.19.x.x, etc.

 

I am looking to find someone from any source address that has done a port scan on more than one subnet... 

 

For example:  I scanned 172.21.x.x and then scanned 172.19.x.x... it should fire... if I scanned 172.21.x.x followed by another in 172.21.x.x it shouldn't...

 

In our old system, this was a 3 page long rule that had every this-followed-by-that comparison... is there a more condensed, easier way to write this in enVision?

 

If an address scans one of these ranges, followed by a different one of the ranges...

 

Outcomes