Highlighted
Absent Member.
Absent Member.
182 views

Please give me your opinion of this Logger connector filter on ESM

Jump to solution

I posted this on the ESM forum as well...

One of our security admins put this huge filter on the Logger connector at the ESM endpoint of the Logger/ESM in order to make his channels, rules and dashboards.  As our daily event count is increasing, we have been seeing more and more of intermittant down messages from the logger connector and ASM too.  I wonder if the load this filter is putting on the box could be the cause of the intermittant down/up messages that are no longer than a second apart, but frequent.

Please comment as I need help with this, even if it's laughter :-).

The filter is rather cryptic.  If you wish me to send you a pdf of it in the usual tree format we are familiar with, then please email me and I will send it to you... thanks.  Maybe it is available as an attachment below.  Didn't know you could do that...

My email is mike.siedelberg@us.pgds.com

event1 : ( ( Attacker Address = 10.8.31.3 AND Name = Netbios_Session_Rejected ) OR ( Name = TCP_Probe_SMTP AND ( Attacker Address = 10.5.85.101 OR Attacker Address = 10.5.85.1 ) ) OR ( Attacker Address = 10.5.48.25 AND ( Name = Netbios_Name_Scan OR Name = Synthesized_Host_Attack_Flood ) ) OR ( Target Address = 10.5.80.200 AND ( Name = SNMP_Community OR Name = SNMP_Activity ) ) OR ( Attacker Address = 10.5.85.1 AND ( Name = TCP_Probe_Telnet OR Name = Ping_Sweep OR Name = TCP_Service_Sweep OR Name = SSH_Brute_Force OR Name = RPC_Portmap_Dump OR Name = SMB_Service_Sweep OR Name = SNMP_Activity ) ) OR ( Attacker Address = 10.5.48.55 AND ( Name = UDP_Probe_SNMP OR Name = UDP_Probe_Other ) ) OR ( Attacker Address = 10.8.110.204 AND Name StartsWith UDP ) OR ( Attacker Address = 10.12.104.36 AND ( Name = UDP_Probe_SNMP OR Name = Netbios_Session_Rejected OR Name = Fraggle_Attack OR Name = TCP_Service_Sweep OR Name = UDP_Service_Sweep OR Name = UDP_Probe_Echo OR Name = SMB_Service_Sweep ) ) OR Message = change root directory to: /var/empty OR Message = change current directory to: / OR Attacker Address = 10.9.82.60 OR Attacker Address = 10.13.82.60 OR Attacker Address = 10.8.111.41 OR Attacker Address = 10.9.233.16 OR Attacker Address = 10.9.233.15 OR Target Address = 10.9.82.60 OR Target Address = 10.13.82.60 OR Target Address = 10.8.111.41 OR Target Address = 10.9.233.16 OR Target Address = 10.9.233.15 OR ( Attacker Service Name = db2sysc AND Device Severity != FAIL_AUTH ) OR ( ( Attacker Address = 10.5.50.28 OR Target Address = 10.5.50.28 ) AND ( Name StartsWith UDP OR Name StartsWith TCP OR Name = Netbios_Session_Rejected OR Name StartsWith S ) ) )

Labels (3)
0 Likes
Reply
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

I really could not understand the use of this filter and what is it trying to detect. But I am pretty sure that this filter will definitely cause performance issue as there are 10+ OR (one of the most costly operators when it comes to resource consumption) operators along with so many AND.

View solution in original post

0 Likes
Reply
2 Replies
Highlighted
Absent Member.
Absent Member.

Didn't see this earlier, but one can attach a file, so here is the PDF...

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I really could not understand the use of this filter and what is it trying to detect. But I am pretty sure that this filter will definitely cause performance issue as there are 10+ OR (one of the most costly operators when it comes to resource consumption) operators along with so many AND.

View solution in original post

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.