This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Message filter on a source ip in Real time

FormerMember over 11 years ago

I am trying to apply a filter on the syslog messages i am receiving from a firewall for any kind of Denied traffic. For this, i am required to apply a counter of 100 to denied messages from a specific source ip in real time. Since there are lot of denied messages from several IPs, the counter can be reached easily and trigger the action which is of no use. I want to track the count for a matching source ip inside the message content.

Is there any expression i can use to match a string pattern at a specific location again and again to increase the counter?

Thank you in advance for your valuable input.

0 FormerMember over 11 years ago

Guys, is there any one who has any idea about filtering logs based on a specific string?? (like an IP or username)
Cancel
Vote Up 0 Vote Down

Cancel
0 Aforsythe over 11 years ago in reply to FormerMember

oss,
I've got to strip out some specifics, but I have a script that does something similar to what you're looking for. I just get an hourly report on it instead of acting on it, but it's still collecting the same data you're looking for. It's not going to help you much unless you're comfortable scripting because you'll need to specifically parse out your firewall's syslog message and get the source IP address (and or Destination IP) in order to track different counters.
I'm currently just logging it by source, destination and port combination and tracking the top 20 offenders every hour. So you may want to change exactly what's being parsed out of your message as well. I'm not looking for port scanning and things of that nature here because I'm looking for them eslewhere, here I'm just looking for potential problems, access list errors, potential infections etc...
So my report table looks like this:
+-----------------------------------------------------+
|        Top 20 Denied Connection Attempts            |
+------------------------------------------+----------+
| 1.1.1.1 - 2.2.2.2 - udp53                | 47       |
| 111.111.111.111 - 22.22.22.22 - icmp     | 18       |
+------------------------------------------+----------+
EDIT:
Ah here are the relevant bits of the script, the first part I can only provide partially because it goes in the script you'll have to use to parse your firewall messages:

With Dictionaries
     DenyKey = SourceIP & " - " & DestIP & " - " & Service
      IF .Exists("DenyMessage") Then
           IF .ItemExists("DenyMessage", DenyKey) Then
                cnt = .GetItem("DenyMessage", DenyKey)
                .StoreItem "DenyMessage", DenyKey, Cstr((cnt + 1))
           ELSE
                .StoreItem "DenyMessage", DenyKey, "1"
           END IF
      ELSE
           .StoreItem "DenyMessage", DenyKey, "1"
      END IF
END With

What you would want to do in addition to increasing cnt on line 6, is check it against your threshold and if it's greater, you can setup a procedure call to e-mail you right there.
Cancel
Vote Up 0 Vote Down

Cancel
0 Aforsythe over 11 years ago in reply to Aforsythe

Oss.rk,
Did you ever get what you needed here? Is there anything else I can do to help?
Cancel
Vote Up 0 Vote Down

Cancel