Topic
  • 3 replies
  • Latest Post - ‏2014-02-19T20:14:00Z by Alaa Ali
Stefan Z.
Stefan Z.
2 Posts

Pinned topic Flow rule fired on wrong source

‏2014-02-17T08:31:38Z |

Hi

I've created a FLOW rule to alert me on traffic from a certain source ip. Curiously the rule gets fired on flows that aren't related to the specified source ip. Why is that? Does anybody has seen similar behavior?

kind regards

Updated on 2014-02-17T08:31:50Z at 2014-02-17T08:31:50Z by Stefan Z.
  • Alaa Ali
    Alaa Ali
    8 Posts
    ACCEPTED ANSWER

    Re: Flow rule fired on wrong source

    ‏2014-02-19T20:14:00Z  
    • Stefan Z.
    • ‏2014-02-19T07:44:56Z

    Sorry about that and thank you for your reply! I defined a rule with the wizard "New Flow Rule" and defined only one trigger "and when the source IP is one of the following ...". No selection under "Rule Action" and as "Rule Response" is Email configured. Finally the Option to enable the rule is activated. That's it.

    With fired I mean QRadar sends me E-Mails saying the Rule was fired. But in that email nor the source or destination does match the configured one. If I search within the Network Activity with the Filter "Rule custom" and my rule selected there are no results shown (what is correct).

    Is it maybe possible that the rule processing engine does something wrong? What I more likely think is that I don't understand the logic of rules in QRadar :)...

    That is very strange. No, you understand the logic of the rules correctly, or at least in this example, but that is definitely something that is not supposed to happen. I think you should log a PMR with IBM and see what they have to say about that.

  • Alaa Ali
    Alaa Ali
    8 Posts

    Re: Flow rule fired on wrong source

    ‏2014-02-17T16:06:43Z  

    You need to be more specific than that. What exactly are the rule tests you're using? And when you say the rule gets "fired on flows": do you mean flows are tagged with the rule in the "Rules Matched" part of the flow, or do you mean they become part of an offense? What is the response for the rule exactly; for example, if you're asking it to create an offense, what is the Index based on and if you have a Rule Limit Responder, what is it based upon?

    Updated on 2014-02-17T16:07:25Z at 2014-02-17T16:07:25Z by Alaa Ali
  • Stefan Z.
    Stefan Z.
    2 Posts

    Re: Flow rule fired on wrong source

    ‏2014-02-19T07:44:56Z  

    Sorry about that and thank you for your reply! I defined a rule with the wizard "New Flow Rule" and defined only one trigger "and when the source IP is one of the following ...". No selection under "Rule Action" and as "Rule Response" is Email configured. Finally the Option to enable the rule is activated. That's it.

    With fired I mean QRadar sends me E-Mails saying the Rule was fired. But in that email nor the source or destination does match the configured one. If I search within the Network Activity with the Filter "Rule custom" and my rule selected there are no results shown (what is correct).

    Is it maybe possible that the rule processing engine does something wrong? What I more likely think is that I don't understand the logic of rules in QRadar :)...

  • Alaa Ali
    Alaa Ali
    8 Posts

    Re: Flow rule fired on wrong source

    ‏2014-02-19T20:14:00Z  
    • Stefan Z.
    • ‏2014-02-19T07:44:56Z

    Sorry about that and thank you for your reply! I defined a rule with the wizard "New Flow Rule" and defined only one trigger "and when the source IP is one of the following ...". No selection under "Rule Action" and as "Rule Response" is Email configured. Finally the Option to enable the rule is activated. That's it.

    With fired I mean QRadar sends me E-Mails saying the Rule was fired. But in that email nor the source or destination does match the configured one. If I search within the Network Activity with the Filter "Rule custom" and my rule selected there are no results shown (what is correct).

    Is it maybe possible that the rule processing engine does something wrong? What I more likely think is that I don't understand the logic of rules in QRadar :)...

    That is very strange. No, you understand the logic of the rules correctly, or at least in this example, but that is definitely something that is not supposed to happen. I think you should log a PMR with IBM and see what they have to say about that.