RSA Admin

Issue with filter conditions in rule finetuning.

Discussion created by RSA Admin Employee on Aug 11, 2011
Latest reply on Aug 11, 2011 by RSA Admin

We are facing issues while applying filters on rules. Please have a look at below example & suggest how we can apply the filter for same.

Lets say I want to filter below conditions from Alert

 

1)Source IP A with Signature B

 

 2) Source IP C with Signature D

 

As per my experience with RSA we can write this filter in 2 Patters :

 

1Patter:

Source IP = A

AND

Signature = B

OR

Source IP = C

AND

Signature =D

 

 If we go with the order it will not give the desired result since it will work like as follows

 

Source IP = A AND (Signature = B OR Source IP = C) AND Signature = D

Whereas we want below result

(Source IP = A AND Signature = B) OR (Source IP = C AND Signature =D )

 

2 Pattern:

 

Source IP = A C AND Signature =B D

 

This will filter the Source IP A & Signature D which we dont want.

 

Request you to suggest me on this since we are receiving large number of alerts from 2 IP with different signatures which we want to whitelist via ruleset.

 

 

Outcomes