Macchia 0 Posted March 29, 2024 Posted March 29, 2024 Hi, I'm fine-tuning exclusion rules in ESET Inspect and need some guidance on specifying a network-related condition. There's an executable in our environment that's connecting to a known and trusted IP address. However, it's being flagged for SSL communication on a non-standard port, which I need to suppress in our detections. The exclusion rule I'm working with takes the file's LiveGrid reputation into account, and now I want to add a condition that checks for the specific remote IP address it connects to. The current setup of my rule is as follows: <operation type="TcpIpProtocolIdentified"> <condition component="Network" property="_________" condition="is" value="13.69.128.10"/> </operation> Could you advise on which property of the Network component I should use to correctly filter based on the IP address? Appreciate your insights!
Administrators Marcos 5,741 Posted March 29, 2024 Administrators Posted March 29, 2024 Would this work for you? <operation type="TcpIpConnect"> <condition component="Network" property="DestinationIpAddressV4" condition="is" value="13.69.128.10"/> </operation> Macchia 1
ESET Staff JamesR 62 Posted March 29, 2024 ESET Staff Posted March 29, 2024 Just sharing how I would exclude this. It super similar to Marcos'. Main difference is that I am using "IpAddressV4" which should work for any networking event. The "DestinationIpAddressV4" may be restricted to Firewall IDS network connections...admittedly, I haven't tested yet. The operation type of "TcpIpConnect" is for outbound connections, and is my preferred method of restricting to outbound. If I wanted inbound, I would use the operation type of "TcpIpAccept" instead. <operations> <operation type="TcpIpConnect"> <operator type="and"> <condition component="Network" property="IpAddressV4" condition="is" value="13.69.128.10"/> </operator> </operation> </operations> Macchia 1
Macchia 0 Posted March 30, 2024 Author Posted March 30, 2024 Hi Marcos and JamesR, Thanks for your clear and helpful guidance. Your insights were valuable. To ensure I've got everything set up correctly and to potentially aid others on the forum, I'd like to share the complete rule code based on your recommendations: <process> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="software.exe"/> <condition component="LiveGrid" property="Reputation" condition="greaterOrEqual" value="5"/> </operator> </process> <operations> <operation type="TcpIpProtocolIdentified"> <condition component="Network" property="IpAddressV4" condition="is" value="13.69.128.10"/> </operation> </operations> Could you please confirm if the above is correctly formulated? If it's all good, it may serve as a useful reference for anyone else working on similar configurations. Thanks again for your time and support!
ESET Staff JamesR 62 Posted April 1, 2024 ESET Staff Posted April 1, 2024 Your rule looks good and ready for testing/use.
Recommended Posts