On 06/04/2013 08:37 AM, termo meter wrote: > Dear All, > > I have question on how SEC doing pattern matching. > > For example i have below logs from my firewall: > > 5-23-2013 4:10:03 PM UDP Traffic Received from 10.1.1.1: > <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src > outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0) > > 5-23-2013 4:10:13 PM UDP Traffic Received from 10.1.1.1: > <163>May 23 2011 15:59:55: %ASA-3-10614: Deny inboundicmp src > outside:192.168.0.63 dst outside:192.168.0.10 (type 8, code 0) > > 5-23-2013 4:10:08 PM UDP Traffic Received from 10.1.1.1: > <164>May 23 2011 15:59:50: %ASA-4-31305: No matching connection for ICMP > error message: icmp src inside:10.16.1.17 dst outside:10.10.0.223 > > 5-23-2013 4:10:08 PM UDP Traffic Received from 10.1.1.1: > <162>May 23 2011 15:59:50: %ASA-2-10601: Inbound TCP connection denied > from 10.1.0.62/80 to 192.168.0.11/10585 flags FIN ACK on interface outside > > 5-23-2013 4:10:15 PM UDP Traffic Received from 10.1.1.1: > <162>May 23 2011 15:59:57: %ASA-2-10607: Deny inbound UDP from > 10.10.51.59/57904 to 192.168.0.10/53 due to DNS Query > > Let say i want to capture only denied logs, protocaol use icmp, and from > this IP address 10.10.0.63 only. > > When i use this conf:- > > type=Single > ptype=RegExp > pattern=Deny\s\S+ icmp > desc=$0 > action=write output.txt $0 > > it will capture this logs:- > > 5-23-2013 4:10:03 PM UDP Traffic Received from 10.1.1.1: > <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src > outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0) > > 5-23-2013 4:10:13 PM UDP Traffic Received from 10.1.1.1: > <163>May 23 2011 15:59:55: %ASA-3-10614: Deny inboundicmp src > outside:192.168.0.63 dst outside:192.168.0.10 (type 8, code 0) > > How i can set SEC to capture logs only from specifics IP address?
Include the address in your regular expression. Something like (untested): pattern=Deny\s\S+ icmp.*outside:10\.10\.0\.63 Eric. ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
