Syslog rule help required

2020

OK, it's probably simple and i'm missing the obvious but i'm tearing my hair out trying to get a Syslog rule to work!

An example of one of the messages sent by our firewall is :

quote:date=2005-06-06 time=09:25:14 device_id=FGT0000000000000 log_id=0023013001 type=traffic subtype=violation pri=notice vd=root SN=85289080 duration=0 policyid=184 proto=17 service=137/udp status=deny src=10.98.4.20 srcname=10.98.4.20 dst=10.25.10.15 dstname=10.25.10.15 src_int=port3 dst_int=internal sent=0 rcvd=0 src_port=137 dst_port=137 vpn=n/a tran_ip=0.0.0.0 tran_port=0

The rule i'm trying to implement is drop all traffic from source 10.22. with dest port 137.

I've created a rule to drop all messages that match*src=10.22*.*dst_port=137*.

Basically, our Orion site still shows these messages which suggests they're not being dropped.
If i use the Syslog viewer on the box and search for messages using the above criteria, it returns just these messages which would suggest my syntax to match this message is correct.

Any help appreciated.

Find more posts tagged with

Accepted answers

All comments

Isaac

Hi 2020,

First off this sounds as if it is a firewall support question rather than an Orion support question. That means you are breaking the sanctity of the forum and will be punished by the SW gods.

Now on to your question. Without knowing what type of firewall you are running it is fairly difficult to quess at a solution that will prevent traffic from 10.22.0.0 /16 to destination port 137. If you could provide that detail I am certain someone will be able to give you a hand.

Be fantastic.

2020

I read the post back and maybe didnt phrase it correctly (ok, pretty poorly)...

quote:The rule i'm trying to implement is drop all traffic from source 10.22. with dest port 137.

What i meant to write was, i'm trying to implement a rule to drop all syslog messages that containing src=10.22 and dst_port=137.

The long and short of it is out firewall is logging 10000's of messages as we deny port 137 between our internal LAN and DMZ's. I can't turn down the logging on the firewall otherwise we will miss messages that may be of importance....we just need to drop any messages related to port 137 traffic from our LAN.

Hopefully this is clearer!

Just checking to be sure here.

The sample packet you gave will not match the pattern match you gave. In the sample packet, the src=10.98, but in your like pattern you say that you are wanting src=10.22.

Have you tried *src=10.*dst_port=137* as your match pattern?

BK
Nobody Special

2020

Apologies again...

The particular syslog message i posted did contain src=10.98 and i mentioned 10.22.
I have 2 rules, one for 10.98 and one for 10.22. I can't use 10. as there are other 10. subnets which we don't want to exclude. I actually use 2 rules, one for 10.98 and one for 10.22

I'm sure i did initially try *src=10.22*dst_port=137* and *src=10.98*dst_port=137* without luck. I will try it again and report back.

Is it possible that due to the pure amount of messages received, the Syslog server can't process them all with expression checking? The Syslog server receives around 50 messages per second.

2020

Just tried using the rule suggested by BK, and we're still logging messages with source 10.98 and 10.22 with dest port of 137.

2020

Spoke to support today and looks like a possible bug in the 7.7 Syslog program.

Went through a few things and still no filter working. Was sent an updated version and hey presto..works a treat.

Thanks to Eric at SW support!

KennyLamb

We are getting the same issue with Syslog 7.7.5, can you please advise how we can get the updated version which processes Syslog rules?

KennyLamb

All OK - sorted our Syslog issues....

mgibson

I have set a rule up a rule on my firewall to deny traffic
"Same Source, destination IP +1 and port 135". What this is, is blaster.
I have set a rule in Orion Syslog if there are 10 matches in 6 hours send email.Does anyone know the syntax for a rule like this "where Dest IP +1 and port 135"? This match rule in syslog lets me know when this is occurring, however it must be double checked and is not always right. Would like a more difinitive rule.

Apr 08 2006 23:17:17: %PIX-4-106023: Deny tcp src inside:10.x.x.253/3993 dst outside:10.x.x.255/135 by access-group
Apr 08 2006 23:17:17: %PIX-4-106023: Deny tcp src inside:10.x.x.252/3992 dst outside:10.x.x.254/135 by access-group
Apr 08 2006 23:17:17: %PIX-4-106023: Deny tcp src inside:10.x.x.251/3991 dst outside:10.x.x.253/135 by access-group
Apr 08 2006 23:17:17: %PIX-4-106023: Deny tcp src inside:10.x.x.250/3990 dst outside:10.x.x.252/135 by access-group
Apr 08 2006 23:17:17: %PIX-4-106023: Deny tcp src inside:10.x.x.249/3989 dst outside:10.x.x.251/135 by access-group
Apr 08 2006 23:17:17: %PIX-4-106023: Deny tcp src inside:10.x.x.248/3988 dst outside:10.x.x.250/135 by access-group