Problems with rules and filters not firing

paulow19782

Hi,

I am just starting on my journey of implementing SEM and having some difficulties with setting up rules and alerting. I have configured our firewall to send logs to it and one of the events is :

• Event Type
  NetworkAttack
• EventInfo
  IPS Prevention Alert: WEB-ATTACKS Malformed HTTP Host Header 2
• DetectionIP
  XXXX
• ToolAlias
  XXXX
•  
• Severity
  6
• InsertionTime
  2020-11-26 09:25:21
• Manager
  swi-sem
• SourcePort
  43336
• DestinationPort
  80
• InsertionIP
  swi-sem
• DetectionTime
  2020-11-26 09:25:20
• DestinationMachine
  XXXX
• AlertActivityType
  IPS Prevention Alert: WEB-ATTACKS Malformed HTTP Host Header 2
• ManagerTime
  2020-11-26 09:25:21
• Interface
  X0
• SourceMachine
  XXXX

(I have removed ip addresses etc above).

I have created a filter which basically says:

Access.AlertActivityType = *WEB-ATTACKS Malformed HTTP Host Header 2*

and 

Access.DetectionIP is equal to *<ip address of firewall>*

But nothing ever comes through the filter.

Its the same for my rule as well. I am using the same logic and want it to trigger an automated block rule through the active response but nothing ever gets flagged.

Can someone tell me what I am doing wrong?

thanks,

Paul

paulow19782

I think I must be missing something in my understanding on how these filters work...

I have read through the documentation and watched the solarwinds SEM video on creating filters but still to no avail. I was able to create a custom filter for the firewall and that worked but not sure why it worked compared to my other filters..

in that filter I used

AnyAlert.ToolAlias = *firewall name*

and I can see events coming through. I think it might be because I am not using the correct filters and although the event fields in the event are there, I am choosing them from the Access.<alert event> category...

I will keep trying...