Macchia 0 Posted March 29 Share Posted March 29 Hi, I'm fine-tuning exclusion rules in ESET Inspect and need some guidance on specifying a network-related condition. There's an executable in our environment that's connecting to a known and trusted IP address. However, it's being flagged for SSL communication on a non-standard port, which I need to suppress in our detections. The exclusion rule I'm working with takes the file's LiveGrid reputation into account, and now I want to add a condition that checks for the specific remote IP address it connects to. The current setup of my rule is as follows: <operation type="TcpIpProtocolIdentified"> <condition component="Network" property="_________" condition="is" value="13.69.128.10"/> </operation> Could you advise on which property of the Network component I should use to correctly filter based on the IP address? Appreciate your insights! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted March 29 Administrators Share Posted March 29 Would this work for you? <operation type="TcpIpConnect"> <condition component="Network" property="DestinationIpAddressV4" condition="is" value="13.69.128.10"/> </operation> Macchia 1 Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted March 29 ESET Staff Share Posted March 29 Just sharing how I would exclude this. It super similar to Marcos'. Main difference is that I am using "IpAddressV4" which should work for any networking event. The "DestinationIpAddressV4" may be restricted to Firewall IDS network connections...admittedly, I haven't tested yet. The operation type of "TcpIpConnect" is for outbound connections, and is my preferred method of restricting to outbound. If I wanted inbound, I would use the operation type of "TcpIpAccept" instead. <operations> <operation type="TcpIpConnect"> <operator type="and"> <condition component="Network" property="IpAddressV4" condition="is" value="13.69.128.10"/> </operator> </operation> </operations> Macchia 1 Link to comment Share on other sites More sharing options...
Macchia 0 Posted March 30 Author Share Posted March 30 Hi Marcos and JamesR, Thanks for your clear and helpful guidance. Your insights were valuable. To ensure I've got everything set up correctly and to potentially aid others on the forum, I'd like to share the complete rule code based on your recommendations: <process> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="software.exe"/> <condition component="LiveGrid" property="Reputation" condition="greaterOrEqual" value="5"/> </operator> </process> <operations> <operation type="TcpIpProtocolIdentified"> <condition component="Network" property="IpAddressV4" condition="is" value="13.69.128.10"/> </operation> </operations> Could you please confirm if the above is correctly formulated? If it's all good, it may serve as a useful reference for anyone else working on similar configurations. Thanks again for your time and support! Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted April 1 ESET Staff Share Posted April 1 Your rule looks good and ready for testing/use. Link to comment Share on other sites More sharing options...
Recommended Posts