Hernan Perez

Doubt about field names used in correlation rule CRL-00023-01 multi threading

Discussion created by Hernan Perez on Mar 24, 2010
Latest reply on Nov 15, 2011 by RSA Admin


I have being using correlation rule based on supplied CRL-00023-01.
I have noticed a strange thing that I don't fully understand.

Although the rule is based on the contents of NIC message id 508100 that contains the following fields:

Packager, <source>,<username>,<obj_type>,<obj_name>,<action> Detail: <pid>: Device <laddr> (<device>): <count> messages processed <@msg:*PARMVAL($MSG)><@level:*SYSVAL($LEVEL)>

 The multi thread definition for rule CRL-00023-01 is using the following values:
"device, destination address"
that correspond (in its XML representation) to:
<thread value="1" set="daddr:device"/>.

 Where is that "daddr" coming from?.It is not present in the parsing fields from  message 508100.
Why is not  "laddr" used instead?

I will appreciate any help on this.