ajp1 0 Posted September 6 Share Posted September 6 Hi there, I'm trying to create an advanced exclusion for one of the rules. The triggered even has something like this. Event =TcpIpConnect IP-Address:PORT(Domain-Name.com) I know I can create this exclusion with the IP address: <condition component="Network" property="IpAddressV4" condition="is" value="X.X.X.X" /> but the target is a CDN address, and the IP keeps changing all the time. The ideal exclusion for us would be something that has the Domain-name.com in it, but I'm not sure if I can do that. I tried : <operations> <operation type="TcpIpConnect"> <operator type="AND"> <condition component="Network" property="Port" condition="is" value="443" /> <operator type="OR"> <condition component="Network" property="Hostname" condition="contains" value="Domain-Name" /> <condition component="Network" property="Url" condition="contains" value="Domain-Name" /> </operator> </operator> </operation> </operations> But it did not match anything. Can I even use Hostname and Url Property to create exclusions for filtering TcpIpConnect events? Thanks, Arsalan Quote Link to comment Share on other sites More sharing options...
ESET Staff JamesR 50 Posted September 6 ESET Staff Share Posted September 6 I was able to get an exclusion working for rule "Powershell.exe creates an external network connection [A0502b]" which has a trigger event of " TcpIpConnect 123.234.231.210:443 (my.example.cloud.azure.com)" (No those are not real IPs or Domains for my test...just examples). Here is the exclusion I made that worked. You should be able to use your "Port" condition as well. Main difference between how I made the "Hostname" condition from yours, is that I used "is", where you used "contains". If it is an exact match, you should use "is". I would also recommend using "Starts" or "Ends" instead of "contains". If this does not help, please let me know what the rule name is so I can try and simulate this in my test environment. Also knowing the EI Server version and EI Connector version, may be important. <definition> <operations> <operation type="TcpIpConnect"> <operator type="and"> <condition component="Network" property="Hostname" condition="is" value="my.example.cloud.azure.com" /> </operator> </operation> </operations> </definition> Quote Link to comment Share on other sites More sharing options...
ajp1 0 Posted September 6 Author Share Posted September 6 Hi James, I haven't tried with condition=" is" yet. In my case, PS tries to connect to different CDN addresses. That's why I thought condition="contains" would do the trick. I will give it a try with "is." Thanks so much for taking the time and answering. Quote Link to comment Share on other sites More sharing options...
ajp1 0 Posted September 12 Author Share Posted September 12 Hi James, Even with "is," it did not work as expected. I spoke with some guys at ESET support and ended up using property="Hostname" condition="ends" value="domainname.com" Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.