We are facing issues while applying filters on rules. Please have a look at below example & suggest how we can apply the filter for same.
Lets say I want to filter below conditions from Alert
1)Source IP A with Signature B
2) Source IP C with Signature D
As per my experience with RSA we can write this filter in 2 Patters :
Source IP = A
Signature = B
Source IP = C
If we go with the order it will not give the desired result since it will work like as follows
Source IP = A AND (Signature = B OR Source IP = C) AND Signature = D
Whereas we want below result
(Source IP = A AND Signature = B) OR (Source IP = C AND Signature =D )
Source IP = A C AND Signature =B D
This will filter the Source IP A & Signature D which we dont want.
Request you to suggest me on this since we are receiving large number of alerts from 2 IP with different signatures which we want to whitelist via ruleset.