Absent Member.
Absent Member.
1688 views

Public IP filter

Jump to solution

Can anyone please suggest a way to create a filter for denied connections from public IP only. I have created a filter but sometimes, private IP are also coming in the dashboard. See the snapshot for the filter I have created

externalIPfilter.JPG

0 Likes
1 Solution

Accepted Solutions
Commander
Commander

Hello Rahul,

The reason your original filter does not result as you expect it is the way your filter is evaluated concerning the expressions connected with a NOT (this is, I believe, buggy in ArcSight), you cannot group expressions with NOT, very likely only the first expression is evaluated, the rest is ignored...

So, do not use a construct like:

NOT

  (expr1

   expr2

   expr3)

Instead, (as Renjith James suggested) try it with

AND

(

NOT expr1

NOT expr2

NOT expr3

)

Hope it helps.

Regards,

Adam

View solution in original post

0 Likes
15 Replies
Commander
Commander

What if you did:

Attacker Zone URI IN GROUP Public Address Space Zones

Or you could use the inverse:

NOT

Attacker Zone URI IN GROUP Private Address Space Zones

0 Likes
Absent Member.
Absent Member.

Nope, this doesn't seem to be working. After applying it, the dashboard is not showing anything

0 Likes
Absent Member.
Absent Member.

Dear Rahul,

Try this. delete your NOT condition and keep whole in under AND by writing as below screen shot.

Public ip filter.jpg

Regards

Renjith

0 Likes
Absent Member.
Absent Member.

Tried this as well..And other possibilities similar to this.. Now working

0 Likes
Commander
Commander

Hello Rahul,

The reason your original filter does not result as you expect it is the way your filter is evaluated concerning the expressions connected with a NOT (this is, I believe, buggy in ArcSight), you cannot group expressions with NOT, very likely only the first expression is evaluated, the rest is ignored...

So, do not use a construct like:

NOT

  (expr1

   expr2

   expr3)

Instead, (as Renjith James suggested) try it with

AND

(

NOT expr1

NOT expr2

NOT expr3

)

Hope it helps.

Regards,

Adam

View solution in original post

0 Likes
Absent Member.
Absent Member.

I have tried the other way round as well. But yes, that can be a reason for the filter to not work because the private IPs coming in the dashboard were not from the subnet 10.0.0.0/8 but were from the other two. Do you think it will work if I give 3 different NOT conditions ??

0 Likes
Commander
Commander

Yes, it should work if you group the 3, individually negated conditions with an AND, like:

AND

(

NOT Attacker Address InSubnet 10.0.0.0/8

NOT Attacker Address InSubnet 192.168.0.0/16

NOT Attacker Address InSubnet 172.16.0.0/12

)

Regards,

A.

0 Likes
Absent Member.
Absent Member.

Well, if I edit the filter which is being used in the dashboard and reload the dashboard, will the private IP which was coming in the dashboard disappear automatically??

private IP still showing in dashboard

0 Likes
Commander
Commander

Well, it depends on what sort of content you have on the given dashboard... if you got a datamonitor put on your dashboard, there might be some data collected/cashed before you changed the filter. If you disable/re-enable the datamonitor it will flush its cache, and it will start to populate the data based on the new filter.

Anyway, I suggest you to validate your new filter with an active channel first, to make sure the filter brings you the events you really want to process.

Regards,

A.

0 Likes
Absent Member.
Absent Member.

Thanks for the suggestions. Will disable and re-enable the data monitor and will confirm if it is working

0 Likes
Absent Member.
Absent Member.

Thanks for the above suggestions. They are working perfectly

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.