RSA Admin

How the the rule Statement Filter logic works

Discussion created by RSA Admin Employee on Jul 21, 2010
Latest reply on Jul 24, 2010 by RSA Admin

I have a question on how the Statement Filter logic in rules works. Hope someone here can help me out. Not able to find answer on line or the online help comes with enVision.
 

On the Statement Filter page, I can do the following:

 

WHERE conditon A ( citeria A1 OR criteria A2 OR ... criteria An)

OR/AND  conditon B ( citeria B1 OR criteria B2 OR ... criteria Bn)

OR/AND  conditon C ( citeria B1 OR criteria C2 OR ... criteria Cn)

....

OR/AND  conditon D ( citeria 1 OR criteria 2 OR ... criteria n)

 

Note that I just put OR/AND for the logic operator choices instead of the whole shebang to improve readibility.

 

I assume that implementing the logic "A | B | C & D" is just configuring the conditions from the top down. I may be wrong here. But if it's just a WHERE clause in SQL, this should be true.

 

In the other words, the screen should show:

 

WHERE conditon A ( citeria A1 )

OR      conditon B ( citeria B1 )

OR      conditon C ( citeria C1 )

AND     conditon D ( citeria D1 )


But how can I implement the logic "(A|B) & (C|D)"? It does not support parentheses.

 

I have a rule which needs a Statment Filter to fire on a number of OR conditions but they all have to satisfy an unique condition for all situations.

 

This is very simple if parentheses is supported. The logic would be "(A|B) & !C". I just tried the following in enVision to see if it works. No it does not, the rule still fires.

 

WHERE [Source address] IN [xyz]

OR      [Destination Port] IN [abc]

AND     [Source port] NOT IN [mnp]

 

The intent of this filter is to fire alerts when source address is xyz or destination port is abc  but only when the source port is not mnp for all situations.

 

Thanks in advance

Outcomes