Is there a way to alert on the number of unique meta key values associated with a session for a particular meta key (without using ESA or reports)? This is for Netwitness packets 10.6.2.
A simple use case would be:
mass spam alert = emailfrom ends 'ourdomain.com' && uniq-count of emailto > 500
This is simplistic, but we're looking for a way to detect mass outbound smtp messages. I haven't seen a way with app rules to count the number of unique meta values for a particular key and assume we can do this with an advanced esper query, but wanted to see if there was a way to perform this on the packet decoders themselves.
Hi Michael,
I'm using Reporting Engine for this, we generate dashboards ( charts ) with information about smtp sessions for our mx servers :
But You can use RE to generate alerts too.
Other option is to use correlation rules on packed decoder, IMO it should work, for example :
But you have to test it.
Maybe other more experienced NW users could tweak this rule
Regards
Marcin