Jump to content

Help with an exclusion when <operation type="TcpIpConnect">


Recommended Posts

Hi there,

I'm trying to create an advanced exclusion for one of the rules. The triggered even has something like this. 

Event =TcpIpConnect

IP-Address:PORT(Domain-Name.com)


I know I can create this exclusion with the IP address:
<condition component="Network" property="IpAddressV4" condition="is" value="X.X.X.X" />
but the target is a CDN address, and the IP keeps changing all the time.
The ideal exclusion for us would be something that has the Domain-name.com in it, but I'm not sure if I can do that.

I tried :

    <operations>
        <operation type="TcpIpConnect">
            <operator type="AND">
                <condition component="Network" property="Port" condition="is" value="443" />
                <operator type="OR">
                    <condition component="Network" property="Hostname" condition="contains" value="Domain-Name" />
                    <condition component="Network" property="Url" condition="contains" value="Domain-Name" />
                </operator>
            </operator>
        </operation>
    </operations>

But it did not match anything.

Can I even use Hostname and Url Property to create exclusions for filtering TcpIpConnect events?

Thanks,
Arsalan


 

Link to comment
Share on other sites

  • ESET Staff

I was able to get an exclusion working for rule "Powershell.exe creates an external network connection [A0502b]" which has a trigger event of " TcpIpConnect 123.234.231.210:443 (my.example.cloud.azure.com)" (No those are not real IPs or Domains for my test...just examples).

Here is the exclusion I made that worked.  You should be able to use your "Port" condition as well.  Main difference between how I made the "Hostname" condition from yours, is that I used "is", where you used "contains".  If it is an exact match, you should use "is".  I would also recommend using "Starts" or "Ends" instead of "contains".

 

If this does not help, please let me know what the rule name is so I can try and simulate this in my test environment.  Also knowing the EI Server version and EI Connector version, may be important.

 

<definition>
    <operations>
        <operation type="TcpIpConnect">
            <operator type="and">
                <condition component="Network" property="Hostname" condition="is" value="my.example.cloud.azure.com" />
            </operator>
        </operation>
    </operations>
</definition>

 

Link to comment
Share on other sites

Hi James,

I haven't tried with condition=" is" yet. In my case, PS tries to connect to different CDN addresses. That's why I thought condition="contains"  would do the trick. 

I will give it a try with "is."

 

Thanks so much for taking the time and answering. 

Link to comment
Share on other sites

Hi James,

 

Even with "is," it did not work as expected. I spoke with some guys at ESET support and ended up using property="Hostname" condition="ends" value="domainname.com"

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...