Difference: SaganRuleReference (23 vs. 24)

Revision 242017-06-07 - ChampClark

Line: 1 to 1
 
META TOPICPARENT name="SaganMain"
Sagan rule options and definitions:
Line: 224 to 224
  If the xbit "myxbit" isnotset, then trigger an event/alert. Track by both the source and desination of the message.
Changed:
<
<
xbits: unset, none, myxbit;
>
>
xbits: unset, both, myxbit;
 
Changed:
<
<
This unset (remove from memory) a flow bit. unset the flowit reguardless of the source or destination.
>
>
This unset removes an xbit from memory. In this example, unset is removing a xbit "myxbit" if the source and destination math (both).
  Example of xbit use can be found in the rules https://wiki.quadrantsec.com/twiki/bin/view/Main/5001880 and https://wiki.quadrantsec.com/twiki/bin/view/Main/5001881 . The first rule (5001880) "sets" a xbit is a Microsoft Windows account is "created". The second rule (5001881) alerts an account is "enabled", but the xbit has not (isnotset) set. In this example, it's normal for a users account to be "created and then enabled". However, there might be an anomaly if an account goes from a "disabled" and then "enabled" state without being "created".
xbits: noalert;
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback