I'm trying to create a correlation rule that triggers if we see traffic
from a particular subnet to an external ip address.

I've tried creating an Internal_Sub_1 dynamic group using say as the source subnet and then defining our internal LAN
range in another dynamic group say Internal_LAN_1 as say and
then build a rule saying if you see traffic from Internal_Sub_1 that is
NOT to Internal_LAN_1 fire a alert.

It's not working well, I'm wondering if the dynamic lists can take CIDR
notation or do you have list every single ip address? Whats the best
aproach, thank you


rochfordp's Profile: https://forums.netiq.com/member.php?userid=6749
View this thread: https://forums.netiq.com/showthread.php?t=52225