Anonymous_User Absent Member.
Absent Member.
571 views

IP and submet based Correlation rule help needed


Hi,

I am trying to write a rule for the following: Generate an alert when an
IP accesses to N different vlans.

Is it possible to convert dip to its subnet within the correlation rule?
How?

Thanks,
Hakan


--
hkalyoncu
------------------------------------------------------------------------
hkalyoncu's Profile: https://forums.netiq.com/member.php?userid=3117
View this thread: https://forums.netiq.com/showthread.php?t=46399

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: IP and submet based Correlation rule help needed

If you choose the TargetTranslatedIP (dip) field in the correlation rule
builder one of the operators is 'Match Subnet' and in there you can put
something like 10.0.1.0/24 to match anything in the 10.0.1.x range, or
whatever. Does that do what you need? This testing done w/Sentinel 7.x.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IP and submet based Correlation rule help needed


ab;223494 Wrote:
> If you choose the TargetTranslatedIP (dip) field in the correlation
> rule
> builder one of the operators is 'Match Subnet' and in there you can put
> something like 10.0.1.0/24 to match anything in the 10.0.1.x range, or
> whatever. Does that do what you need? This testing done w/Sentinel
> 7.x.
>
> Good luck.


In fact not. I need to count different subnets, not search for a known
one.

Therefore I need to find a way to convert the IP to a corresponding
subnet value and then do the correlation related tasks on them.

In fact I found a (not ideal) solution: Write a custom.js for the
collector that converts the IP to its subnet and writes that to a
customer variable field during the parsing phase.

Thanks,
Hakan


--
hkalyoncu
------------------------------------------------------------------------
hkalyoncu's Profile: https://forums.netiq.com/member.php?userid=3117
View this thread: https://forums.netiq.com/showthread.php?t=46399

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IP and submet based Correlation rule help needed


Hi Hakan,

That's exactly the solution I was going to propose. Can you explain why
you feel this is non-ideal? The purpose of the Collector customization
is specifically to enable customers to perform additional
transformations on the event data for specific analysis, hence you are
using it exactly as intended.

I should also note that correlation cannot currently count 'distinct'
instances of things, although you can use discriminator() and window()
and/or Dynamic Lists to get pretty close.


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: https://forums.netiq.com/member.php?userid=323
View this thread: https://forums.netiq.com/showthread.php?t=46399

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IP and submet based Correlation rule help needed


I felt not ideal because I was expecting Sentinel to provide me a simple
notation (similar to "Match Subnet") for the correlation rule.
Btw, subnet notations is not working on my environment:
"sip:10.0.1.0/24" returns nothing but the query "sip:10.0.1.*" returns
records what i expected !


--
hkalyoncu
------------------------------------------------------------------------
hkalyoncu's Profile: https://forums.netiq.com/member.php?userid=3117
View this thread: https://forums.netiq.com/showthread.php?t=46399

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IP and submet based Correlation rule help needed

Match subnet is a correlation feature using RuleLB. The
sip:value.goes.here is a standard filter feature. If you are trying to
use CIDR notation in a filter I do not have any reason to believe it will
or should work. The raw text for the Rule LG looks like this:

filter(((e.SourceIP match subnet (10.0.1.0/24))))

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IP and submet based Correlation rule help needed


One slight correction: 'dip' is "TargetIP'. 'dxip' is
'TargetTranslatedIP'.


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: https://forums.netiq.com/member.php?userid=323
View this thread: https://forums.netiq.com/showthread.php?t=46399

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.