I am in a situation here and i need to understand something. We are using Cisco eStreamer for Splunk app to get results from IPS.
I have a task where I need to conclude false positives in this fashion.
If src_ip and dst_ip falls within a subnet (cannot disclose here) and/or is a part of an internal network then to show it as a False positive. I am not able to understand how exactly i'll craft a search. Any help will be appreciated.
Have you looked at the correlation engine to craft a special rule whereby you get a 'Correlation Event' when that occurs? This wouldn't eliminate the underlying false positive but it would create a separate event that you could reference. You could search for both and correlate them in Splunk.
You could also create custom snort rules but that would depend on exactly what your criteria is.
From the top menu, right after login, go to Analysis, then Correlation, then correlation events. You need to create a Correlation Policy, at least one rule for that policy and then apply the correlation policy to the device(s) monitoring that see the traffic you want to monitor. There is quite a bit to do here if you've never done it. You could call TAC and get help on this. They'll be able to get you through all the detail.
On Snort rules I'm not sure its the right way. You'd creating a rule to tell yo that a condition occurred which is what's currently happening already with false positives.
You could create edit policy around the Src/Dst IPs, somehow exclude them from analysis. But again I'm completely sure if this is the right way to go.
This is a lot of downloading for me as i am a newbie in splunk and still getting my hands on.
Couple of questions :-
How do i look at the correlation engine.
Also, can we create a custom snort rule in splunk, if yes how?
Thanks and Regards.