Solved: Rule alerting, but I cant find the rule

lewko98 · ‎09-10-2008

Ok, I am not sure how this is happening but here is my issue. Currently I setup notifications via email alerts whenever a certain rule fires. The issue I am having is that I am getting an e-mail alert for a rule that I cannot find. I am looking under the inspection rule tab, in the All group. I have it set to list 1000 rules, ( even though I dont have that many ) and I am looking at the active and inactive rules and cant find the rule.

The interesting part is in the notification it mentions the status as "edited"

==============================================================

Rule Name: System Rule: Network Activity: Excessive Denies - Host Compromise Likely-Sep 9, 2008 4:23:24 PM EDT Status: Edited

Action: E-mail alert to MarsAdmins Time Range: 0m:05s

Description: This correlation rule detects a large frequency (excess of 10/sec) of denies from a particular host to a particular destination port. This is a typical behavior of a compromised host looking to exploit hosts with a specififc vulnerability.

================================================

Any ideas/comments/advice would be appreciated.

mhellman · ‎09-12-2008

Good to know. I don't suppose you had already tried clicking "activate" as well? I'm just curious.

View solution in original post

mohsin.khan · ‎09-10-2008

Safer way to find the rule is

Query/Reports --> Select Rule and filter your report by rule

By the way, i have 4.3.5 and i can see the rulei in the report..

pls rate helpful posts.

regards,

Mohsin

mhellman · ‎09-11-2008

Maybe it's been to long since I've gotten such an email...but doesn't it include a link to the incident? The incident will include the rule.

FWIW, if it's an edited rule...in the inspection rules tab, change the group to user. It might be easier to find that way.

lewko98 · ‎09-11-2008

mhellman,

you are correct, the link to the incident in the email contains the rule, and that's the rule I cannot find. When on the inspection rule tab, I have checked under user, and couldn't find it, I have also checked under the all group and cant find it.

Its a little frustrating to be alerted by a rule that I cant find. Any idea where else to check?

mhellman · ‎09-11-2008

under inactive? You might also try this...locate the incident in the incident queue (tab). In the rule column, is it "clickable"? If not, that tells you it has been either updated or inactivated. If it is clickable...it should take you to the rule.

lewko98 · ‎09-11-2008

In the incident queue I cannot click on the rule.

On the rule tab under the inactive rules, in the all group, I can find the rule that I duplicated but not the original( example I am looking for "rule a", I cant find it but I can find "rule a - copied: date/ time".

However Nothing on the inactive tab has an action to email notifications, they are all set to none.

I have tried looking at all the rules that are set to notificate me in the active rules, all group, and still cant find it.

I am starting to think that maybe a reboot is in order? Does that make sense?

lewko98 · ‎09-11-2008

mhellman,

thanks for all of your help. However the fix to my issue of this "ghost rule notifications" was a reboot to mars, now I get the right notifications, and no longer see the notification from the unfindable rule. I appreciate your time though.

Maybe this will help in the off chance somebody runs into the same issue,

mhellman · ‎09-12-2008

Good to know. I don't suppose you had already tried clicking "activate" as well? I'm just curious.

lewko98 · ‎09-12-2008

... you know what.. I dont think I did. I didnt think to hit the activate button after saving changes, your probably right!

mhellman · ‎09-12-2008

funny. neither did I. I bet that would have fixed it too. It's such an odd feature.