Ok, I am not sure how this is happening but here is my issue. Currently I setup notifications via email alerts whenever a certain rule fires. The issue I am having is that I am getting an e-mail alert for a rule that I cannot find. I am looking under the inspection rule tab, in the All group. I have it set to list 1000 rules, ( even though I dont have that many ) and I am looking at the active and inactive rules and cant find the rule.
The interesting part is in the notification it mentions the status as "edited"
Rule Name: System Rule: Network Activity: Excessive Denies - Host Compromise Likely-Sep 9, 2008 4:23:24 PM EDT Status: Edited
Action: E-mail alert to MarsAdmins Time Range: 0m:05s
Description: This correlation rule detects a large frequency (excess of 10/sec) of denies from a particular host to a particular destination port. This is a typical behavior of a compromised host looking to exploit hosts with a specififc vulnerability.
Any ideas/comments/advice would be appreciated.
Solved! Go to Solution.
Safer way to find the rule is
Query/Reports --> Select Rule and filter your report by rule
By the way, i have 4.3.5 and i can see the rulei in the report..
pls rate helpful posts.
Maybe it's been to long since I've gotten such an email...but doesn't it include a link to the incident? The incident will include the rule.
FWIW, if it's an edited rule...in the inspection rules tab, change the group to user. It might be easier to find that way.
you are correct, the link to the incident in the email contains the rule, and that's the rule I cannot find. When on the inspection rule tab, I have checked under user, and couldn't find it, I have also checked under the all group and cant find it.
Its a little frustrating to be alerted by a rule that I cant find. Any idea where else to check?
under inactive? You might also try this...locate the incident in the incident queue (tab). In the rule column, is it "clickable"? If not, that tells you it has been either updated or inactivated. If it is clickable...it should take you to the rule.
In the incident queue I cannot click on the rule.
On the rule tab under the inactive rules, in the all group, I can find the rule that I duplicated but not the original( example I am looking for "rule a", I cant find it but I can find "rule a - copied: date/ time".
However Nothing on the inactive tab has an action to email notifications, they are all set to none.
I have tried looking at all the rules that are set to notificate me in the active rules, all group, and still cant find it.
I am starting to think that maybe a reboot is in order? Does that make sense?
thanks for all of your help. However the fix to my issue of this "ghost rule notifications" was a reboot to mars, now I get the right notifications, and no longer see the notification from the unfindable rule. I appreciate your time though.
Maybe this will help in the off chance somebody runs into the same issue,
... you know what.. I dont think I did. I didnt think to hit the activate button after saving changes, your probably right!