there is no need for 2 groups. Collapse the 6 conditions into a single group. Toggle the outermost logic operator to an AND (the Orange vertical line with the half circle should change to a blue line(?) with a triangle)
A couple of issues. There is a Group inside a Group. It is effectively a single group. The innermost group is joined by an OR logic. It should be AND. The outermost group logic is AND. Since there is only 1 group member (the inner group), the AND or OR really doesn't matter
You rule should look like below
Also, for future reference, the correlations section of the rule definition can be equally validated using your filters. You can create a new filter in the MONITOR screen and mimic the Correlations part of the Rule definition in the Conditions part of the Filter editor, and save the filter. Then choose the 'send to nDepth' menu option, and search over a custom time frame to validate your search criteria.
So, I did some digging. No connector will throw a PingSweep event by itself. Some of them will create ICMPPingSweep events, or TCPPingSweep events, but no "just" PingSweep events.
That means all of them are inferred from other rules, like:
- ICMPTrafficAudit Echo Request Infer Ping Sweep alert
- ICMPTrafficAudit Echo Reply Infer Ping Sweep alert
If you want to stop the PingSweeps from some hosts, my advice would be:
- Create a user defined group with the hosts that you want to ignore in it, it'll make things easier
- Add that exemption to rules that infer PingSweeps, like the two I mentioned
That'll stop the alerts from getting inferred in the first place, something like this:
HolyGuacamole and Curtis,
Thank for the quick reply and suggestions. I will make changes and test.