Hi Eric,
Thank you,
i edit a bit the pattern, like this
Deny\s\S+ icmp\s\S+ outside:10\.10\.0\.63
it works
--- On Tue, 4/6/13, Eric V. Smith <e...@trueblade.com> wrote:
From: Eric V. Smith <e...@trueblade.com>
Subject: Re: [Simple-evcorr-users] Pattern matching in SEC
To: simple-evcorr-users@lists.sourceforge.net
Date: Tuesday, 4 June, 2013, 5:49 AM
On 06/04/2013 08:37 AM, termo meter wrote:
> Dear All,
>
> I have question on how SEC doing pattern matching.
>
> For example i have below logs from my firewall:
>
> 5-23-2013 4:10:03 PM UDP Traffic Received from 10.1.1.1:
> <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src
> outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0)
>
> 5-23-2013 4:10:13 PM UDP Traffic Received from 10.1.1.1:
> <163>May 23 2011 15:59:55: %ASA-3-10614: Deny inboundicmp src
> outside:192.168.0.63 dst outside:192.168.0.10 (type 8, code 0)
>
> 5-23-2013 4:10:08 PM UDP Traffic Received from 10.1.1.1:
> <164>May 23 2011 15:59:50: %ASA-4-31305: No matching connection for ICMP
> error message: icmp src inside:10.16.1.17 dst outside:10.10.0.223
>
> 5-23-2013 4:10:08 PM UDP Traffic Received from 10.1.1.1:
> <162>May 23 2011 15:59:50: %ASA-2-10601: Inbound TCP connection denied
> from 10.1.0.62/80 to 192.168.0.11/10585 flags FIN ACK on interface outside
>
> 5-23-2013 4:10:15 PM UDP Traffic Received from 10.1.1.1:
> <162>May 23 2011 15:59:57: %ASA-2-10607: Deny inbound UDP from
> 10.10.51.59/57904 to 192.168.0.10/53 due to DNS Query
>
> Let say i want to capture only denied logs, protocaol use icmp, and from
> this IP address 10.10.0.63 only.
>
> When i use this conf:-
>
> type=Single
> ptype=RegExp
> pattern=Deny\s\S+ icmp
> desc=$0
> action=write output.txt $0
>
> it will capture this logs:-
>
> 5-23-2013 4:10:03 PM UDP Traffic Received from 10.1.1.1:
> <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src
> outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0)
>
> 5-23-2013 4:10:13 PM UDP Traffic Received from 10.1.1.1:
> <163>May 23 2011 15:59:55: %ASA-3-10614: Deny inboundicmp src
> outside:192.168.0.63 dst outside:192.168.0.10 (type 8, code 0)
>
> How i can set SEC to capture logs only from specifics IP address?
Include the address in your regular expression. Something like (untested):
pattern=Deny\s\S+ icmp.*outside:10\.10\.0\.63
Eric.
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
