5 Replies Latest reply on Mar 18, 2015 10:46 AM by tjreeddoc

    Rule triggers went it is not suppose to trigger

    tjreeddoc

      All,

       

       

      I am trying to resolve an issue with a LEM rule.  I work in a group which admins three different servers that generate Ping Sweeps. We expect this traffic.  So, I created a rule to send an email when any other sever beside the three servers generates a PING sweep. While the rule triggers when any other server starts a Ping Sweep.  The rule also triggers when any one of the three servers I do not want notification on starts a Ping Sweep.

       

       

       

      Any assistance would be appreciated.

       

       

        T.J.

       

        • Re: Rule triggers went it is not suppose to trigger
          HolyGuacamole

          there is no need for 2 groups. Collapse the 6 conditions into a single group. Toggle the outermost logic operator to an AND (the Orange vertical line with the half circle should change to a blue line(?) with a triangle)

            • Re: Rule triggers went it is not suppose to trigger
              tjreeddoc

               

              Holyguacamole,

               

               

               

              Thank you for the reply. I made the changes you described. However, I am still getting events from the servers in which I have placed a NOT (≠) in the logic. Following are screen shots of the Conditions and the Filter. 

               

               

               

              Thank you,

               

              T.J.

               

              Note: I have removed the Private IP addresses.

               

               

              3-17-2015_Still_getting_PingSweep_from_NIS_Servers.jpg3-17-201_Filter_Still_getting_PingSweep_from_NIS_Servers.jpg

               

                • Re: Rule triggers went it is not suppose to trigger
                  HolyGuacamole

                  A couple of issues. There is a Group inside a Group. It is effectively a single group. The innermost group is joined by an OR logic. It should be AND. The outermost group logic is AND. Since there is only 1 group member (the inner group), the AND or OR really doesn't matter

                   

                  You rule should look like below

                   

                  LEM-Rule-75689.png

                   

                  Also, for future reference, the correlations section of the rule definition can be equally validated using your filters. You can create a new filter in the MONITOR screen and mimic the Correlations part of the Rule definition in the Conditions part of the Filter editor, and save the filter. Then choose the 'send to nDepth' menu option, and search over a custom time frame to validate your search criteria.

              • Re: Rule triggers went it is not suppose to trigger
                curtisi

                So, I did some digging.  No connector will throw a PingSweep event by itself.  Some of them will create ICMPPingSweep events, or TCPPingSweep events, but no "just" PingSweep events.

                 

                That means all of them are inferred from other rules, like:

                • ICMPTrafficAudit Echo Request Infer Ping Sweep alert
                • ICMPTrafficAudit Echo Reply Infer Ping Sweep alert

                 

                If you want to stop the PingSweeps from some hosts, my advice would be:

                1. Create a user defined group with the hosts that you want to ignore in it, it'll make things easier
                2. Add that exemption to rules that infer PingSweeps, like the two I mentioned

                 

                That'll stop the alerts from getting inferred in the first place, something like this:

                 

                2015-03-18 07_32_32-Clipboard.png