Hi,

I'm trying to create a correlation rule that triggers if we see traffic
from a particular subnet to an external ip address.

I've tried creating an Internal_Sub_1 dynamic group using say
192.168.0.0/24 as the source subnet and then defining our internal LAN
range in another dynamic group say Internal_LAN_1 as say 10.1.0.0/16 and
then build a rule saying if you see traffic from Internal_Sub_1 that is
NOT to Internal_LAN_1 fire a alert.

It's not working well, I'm wondering if the dynamic lists can take CIDR
notation or do you have list every single ip address? Whats the best
aproach, thank you

Paul


--
rochfordp
------------------------------------------------------------------------
rochfordp's Profile: https://forums.netiq.com/member.php?userid=6749
View this thread: https://forums.netiq.com/showthread.php?t=52225