Highlighted
AdamBlock Absent Member.
Absent Member.
535 views

Rule disabled by system - worst case element matches above threshold (rule:701)

I have a rule which continues to be disabled and then re-enabled by the system.  The corresponding event generated when this happens has Device Event Class ID rule:701 - Deactivating the rule...worst case element matches = 2634650, above the threshold 1000000.

I am unsure of where to begin troubleshooting this issue.  Does this indicate an issue related to partial matches or possibly too many matches?

Thank you.

Adam B.

Labels (1)
Tags (2)
0 Likes
6 Replies
Super Contributor.. sahaya Super Contributor..
Super Contributor..

Re: Rule disabled by system - worst case element matches above threshold (rule:701)

Hi,

rule:701 will be triggered when  there is excessive recursion or event matching

can you share the rule conditions ?

Regards,

Sahaya

0 Likes
sparky1 Absent Member.
Absent Member.

Re: Rule disabled by system - worst case element matches above threshold (rule:701)

Certainly sounds like you have a bad rule somewhere, that may be looping or your conditions are to open.

Review the rule that is causing the issues, and then see if you can make it more specific.

0 Likes
nils.guenther@t Honored Contributor.
Honored Contributor.

Re: Rule disabled by system - worst case element matches above threshold (rule:701)

Most often this occurs, when a rule matches on events that it fires itsself. To avoid this add condition "Type=Base". This will make the rule only match base events delivered by connectors and NOT match events that it fires (as those are of type "Correlation").

0 Likes
AdamBlock Absent Member.
Absent Member.

Re: Rule disabled by system - worst case element matches above threshold (rule:701)

I reviewed the logic of the rules involved and then rewrote them.  The rule:701 is no longer being triggered.

Regards.

0 Likes
michael.selph Absent Member.
Absent Member.

Re: Rule disabled by system - worst case element matches above threshold (rule:701)

You should use type != Correlation or type IN Base,Aggregated if you have (or plan to have) aggergation turned on for any connectors.

0 Likes
Absent Member.. Mostafa_Soliman Absent Member..
Absent Member..

Re: Rule disabled by system - worst case element matches above threshold (rule:701)

Hi Adam,

I am facing the same problem , I have a Palo Alto Firewall, I have wrote a simple rule that matches 5 events from same source to same destination and the target port is unique, to try to identify vertical portscan, the amount of EPS that I receive from Palo Alto is around 200 EPS, my rule is showing 3M + partial matches on the Rule status dashboard.

Thank you,

MS

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.