Jump to content

Assistance with Configuring Network-Based Exclusion Rule in ESET Inspect


Macchia

Recommended Posts

Hi,

I'm fine-tuning exclusion rules in ESET Inspect and need some guidance on specifying a network-related condition. There's an executable in our environment that's connecting to a known and trusted IP address. However, it's being flagged for SSL communication on a non-standard port, which I need to suppress in our detections.

The exclusion rule I'm working with takes the file's LiveGrid reputation into account, and now I want to add a condition that checks for the specific remote IP address it connects to. The current setup of my rule is as follows:
 

<operation type="TcpIpProtocolIdentified">
    <condition component="Network" property="_________" condition="is" value="13.69.128.10"/>
</operation>

Could you advise on which property of the Network component I should use to correctly filter based on the IP address?

Appreciate your insights!

Link to comment
Share on other sites

  • Administrators

Would this work for you?

<operation type="TcpIpConnect">
    <condition component="Network" property="DestinationIpAddressV4" condition="is" value="13.69.128.10"/>
</operation>

 

Link to comment
Share on other sites

  • ESET Staff

Just sharing how I would exclude this.  It super similar to Marcos'.  Main difference is that I am using "IpAddressV4" which should work for any networking event.  The "DestinationIpAddressV4" may be restricted to Firewall IDS network connections...admittedly, I haven't tested yet.

The operation type of "TcpIpConnect" is for outbound connections, and is my preferred method of restricting to outbound.

If I wanted inbound, I would use the operation type of "TcpIpAccept" instead.



 

        <operations>
            <operation type="TcpIpConnect">
                <operator type="and">
                    <condition component="Network" property="IpAddressV4" condition="is" value="13.69.128.10"/>
                </operator>
            </operation>
        </operations>

 

Link to comment
Share on other sites

Hi Marcos and JamesR,

Thanks for your clear and helpful guidance. Your insights were valuable.

To ensure I've got everything set up correctly and to potentially aid others on the forum, I'd like to share the complete rule code based on your recommendations:

<process>
  <operator type="AND">
    <condition component="FileItem" property="FileName" condition="is" value="software.exe"/>
    <condition component="LiveGrid" property="Reputation" condition="greaterOrEqual" value="5"/>
  </operator>
</process>
<operations>
  <operation type="TcpIpProtocolIdentified">
    <condition component="Network" property="IpAddressV4" condition="is" value="13.69.128.10"/>
  </operation>
</operations>

Could you please confirm if the above is correctly formulated? If it's all good, it may serve as a useful reference for anyone else working on similar configurations.

Thanks again for your time and support!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...