AnsweredAssumed Answered

Identifying Msg_IDs description in ESA Alerts

Question asked by Wardell Motley on Jun 14, 2016
Latest reply on Sep 25, 2016 by Sal Sanshez

Like • Show 0 Likes0
Comment • 4

Hi everyone!

We are currently working on some tuning in ESA alerts and came across some MSG_ids that we cannot identify

The two alerts are listed below with associated message IDs that we need descriptions for

- Multiple Logs from MsgID Set with Same SourceIP DestinationIP

Msg_id in the syntax of the rule are ('00490' , ' 00490:08',' 00490:21' , '00004:16', ' 00490:01', '00490:07' , '00490:08' , '106001','106001:01','106002'

-Multiple Unique Logs from MsgID Set with Same Source and Destination IP

Msg_id in the syntax of the rule are ('00490', '00490:06','00490:08','00490:21')

No one else has this question

Outcomes

4 Replies

Soumyajit Dhara Jun 15, 2016 4:42 AM
Mark Correct
Correct Answer
Hi,

For which device.type you got this information ?
Like • Show 0 Likes0
Actions
- Wardell Motley @ Soumyajit Dhara on Jun 15, 2016 9:05 AM
  Mark Correct
  Correct Answer
  These MsgIDs are actually built into an RSA rule below are the syntax. We are trying to find out the description of the MsgID within the syntax
  
  @Name('Module_esa000071_Alert')
  @Description('Multiple Logs from MsgID Set with Same SourceIP and DestinationIP')
  @RSAAlert(oneInSeconds=0, identifiers={"ip_src, ip_dst"})
  
  SELECT * FROM
  Event(
  ip_src IS NOT NULL
  AND
  ip_dst IS NOT NULL
  AND
  msg_id IN ('00490' , '00490:08' , '00490:21' , '00004:16' , '00490:01' , '00490:07' , '00490:08' , '106001' , '106001:01' , '106002')
  ).std:groupwin(ip_src, ip_dst).win:time_length_batch(300 seconds, 10) GROUP BY ip_src, ip_dst HAVING COUNT(*) = 10;
  
  Description: Multiple unique log events from group of message IDs (each log has to have a unique message ID among the specified set of IDs) with same source IP and destination IP that take place within given time window. Number of log events, list of message IDs to be monitored, whitelist of source and destination IPs and time window are configurable. The default number of log events is 3 and the time window is 300 seconds (5 minutes).
  
  Version: 2
  */
  
  module Module_esa000072;
  
  @Name('Module_esa000072_Alert')
  
  @RSAAlert(oneInSeconds=0, identifiers={"ip_src, ip_dst"})
  
  SELECT * FROM
  
  Event(
  medium = 32
  AND
  ip_src IS NOT NULL
  AND
  ip_src NOT IN ('1.1.1.1' , '2.2.2.2')
  AND
  ip_dst IS NOT NULL
  AND
  ip_dst NOT IN ('1.1.1.1' , '2.2.2.2')
  AND
  msg_id IN ('00490' , '00490:06' , '00490:08' , '00490:21')
  ).std:groupwin(ip_src, ip_dst).win:time_length_batch(300 seconds, 3).std:unique(msg_id) GROUP BY ip_src, ip_dst HAVING COUNT(*) = 3;
  Like • Show 0 Likes0
  Actions
  - Soumyajit Dhara @ Wardell Motley on Jun 16, 2016 1:52 AM
    Mark Correct
    Correct Answer
    It is hard to identify device.type by looking on msg_id, until someone really remember these like windows reference_id.
    
    My suggestion : Copy all the msg_id from this rules and test SA Investigate > Navigate section and under Query put it as per below.
    msg.id = '00490','00490:06','00490:08','00490:21'
    msg.id = '00490','00490:08','00490:21','00004:16','00490:01','00490:07','00490:08','106001','106001:01','106002'
    
    You will definitely get some result by selecting Log Concentrator or Broker (if you have in your environment) as a service during Investigation Page.
    1 person found this helpful
    Like • Show 1 Like1
    Actions
Sal Sanshez Sep 25, 2016 1:13 AM
Mark Correct
Correct Answer
You could create a report for device.type where msg.id = 00490','00490:08','00490:21','00004:16','00490:01','00490:07','00490:08','106001','106001:01','106002'
Like • Show 0 Likes0
Actions

Identifying Msg_IDs description in ESA Alerts

Outcomes

Related Content

Recommended Content