You'll need to add them to the regex, something like: 10\.10\.0\.63|10\.10\.0\.64
But this is just normal perl regular expression stuff, unrelated to sec. There are plenty of resources on the web that could provide better help than I can. I'm not much of a perl guy. Eric. On 06/04/2013 10:06 AM, termo meter wrote: > Hi Eric, > just want to know, what if i have a list of IP address to monitor. Is it > possible? > > --- On *Tue, 4/6/13, termo meter /<termo_me...@yahoo.com>/* wrote: > > > From: termo meter <termo_me...@yahoo.com> > Subject: Re: [Simple-evcorr-users] Pattern matching in SEC > To: simple-evcorr-users@lists.sourceforge.net, "Eric V. Smith" > <e...@trueblade.com> > Date: Tuesday, 4 June, 2013, 6:42 AM > > Hi Eric, > > Thank you, > > i edit a bit the pattern, like this > > Deny\s\S+ icmp\s\S+ outside:10\.10\.0\.63 > > it works > > --- On *Tue, 4/6/13, Eric V. Smith /<e...@trueblade.com>/* wrote: > > > From: Eric V. Smith <e...@trueblade.com> > Subject: Re: [Simple-evcorr-users] Pattern matching in SEC > To: simple-evcorr-users@lists.sourceforge.net > Date: Tuesday, 4 June, 2013, 5:49 AM > > On 06/04/2013 08:37 AM, termo meter wrote: > > Dear All, > > > > I have question on how SEC doing pattern matching. > > > > For example i have below logs from my firewall: > > > > 5-23-2013 4:10:03 PM UDP Traffic Received from 10.1.1.1: > > <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src > > outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0) > > > > 5-23-2013 4:10:13 PM UDP Traffic Received from 10.1.1.1: > > <163>May 23 2011 15:59:55: %ASA-3-10614: Deny inboundicmp src > > outside:192.168.0.63 dst outside:192.168.0.10 (type 8, code 0) > > > > 5-23-2013 4:10:08 PM UDP Traffic Received from 10.1.1.1: > > <164>May 23 2011 15:59:50: %ASA-4-31305: No matching > connection for ICMP > > error message: icmp src inside:10.16.1.17 dst outside:10.10.0.223 > > > > 5-23-2013 4:10:08 PM UDP Traffic Received from 10.1.1.1: > > <162>May 23 2011 15:59:50: %ASA-2-10601: Inbound TCP > connection denied > > from 10.1.0.62/80 to 192.168.0.11/10585 flags FIN ACK on > interface outside > > > > 5-23-2013 4:10:15 PM UDP Traffic Received from 10.1.1.1: > > <162>May 23 2011 15:59:57: %ASA-2-10607: Deny inbound UDP from > > 10.10.51.59/57904 to 192.168.0.10/53 due to DNS Query > > > > Let say i want to capture only denied logs, protocaol use > icmp, and from > > this IP address 10.10.0.63 only. > > > > When i use this conf:- > > > > type=Single > > ptype=RegExp > > pattern=Deny\s\S+ icmp > > desc=$0 > > action=write output.txt $0 > > > > it will capture this logs:- > > > > 5-23-2013 4:10:03 PM UDP Traffic Received from 10.1.1.1: > > <163>May 23 2011 15:59:45: %ASA-3-10614: Deny inbound icmp src > > outside:10.10.0.63 dst outside:192.168.0.10 (type 8, code 0) > > > > 5-23-2013 4:10:13 PM UDP Traffic Received from 10.1.1.1: > > <163>May 23 2011 15:59:55: %ASA-3-10614: Deny inboundicmp src > > outside:192.168.0.63 dst outside:192.168.0.10 (type 8, code 0) > > > > How i can set SEC to capture logs only from specifics IP address? > > Include the address in your regular expression. Something like > (untested): > > pattern=Deny\s\S+ icmp.*outside:10\.10\.0\.63 > > Eric. > > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. A cloud service to automate IT design, transition and operations > 2. Dashboards that offer high-level views of enterprise services > 3. A single system of record for all IT processes > http://p.sf.net/sfu/servicenow-d2d-j > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > -----Inline Attachment Follows----- > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. A cloud service to automate IT design, transition and operations > 2. Dashboards that offer high-level views of enterprise services > 3. A single system of record for all IT processes > http://p.sf.net/sfu/servicenow-d2d-j > > -----Inline Attachment Follows----- > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > </mc/compose?to=Simple-evcorr-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
