• Support
  • Forums
  • Blogs

NIDS Event Suppression using packet_payload

thomas.johnsonthomas.johnson

New Life Form
Is there magic or a secret in doing filtering/suppression using the packet_payload. The following doesn't seem to work for me.

MAS90\HOME = {4d 00 41 00 53 00 39 00 30 00 5c 00 48 00 4f 00 4d 00 45 00}
MAS90\SOA = {4d 00 41 00 53 00 39 00 30 00 5c 00 73 00 6f 00 61 00}

(packet_type == 'log' AND event_category == 'Suspicious Activity' AND event_subcategory == 'Lateral Movement' AND rep_device_rule_id == 2025709 AND event_name contains 'ET POLICY SMB2' AND (packet_payload contains* '4d 00 41 00 53 00 39 00 30 00 5c 00 48 00 4f 00 4d 00 45 00' OR packet_payload contains* '4d 00 41 00 53 00 39 00 30 00 5c 00 73 00 6f 00 61 00'))

Share post:

Comments

Sign In or Register to comment.