I am just starting on my journey of implementing SEM and having some difficulties with setting up rules and alerting. I have configured our firewall to send logs to it and one of the events is :
(I have removed ip addresses etc above).
I have created a filter which basically says:
Access.AlertActivityType = *WEB-ATTACKS Malformed HTTP Host Header 2*
Access.DetectionIP is equal to *<ip address of firewall>*
But nothing ever comes through the filter.
Its the same for my rule as well. I am using the same logic and want it to trigger an automated block rule through the active response but nothing ever gets flagged.
Can someone tell me what I am doing wrong?
I think I must be missing something in my understanding on how these filters work...
I have read through the documentation and watched the solarwinds SEM video on creating filters but still to no avail. I was able to create a custom filter for the firewall and that worked but not sure why it worked compared to my other filters..
in that filter I used
AnyAlert.ToolAlias = *firewall name*
and I can see events coming through. I think it might be because I am not using the correct filters and although the event fields in the event are there, I am choosing them from the Access.<alert event> category...
I will keep trying...
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.