topic Re: Track Event Action Filter actions in Network Security

Track Event Action Filter actions

johan.kellerman — Sun, 10 Mar 2019 11:51:35 GMT

I would like to track if an ‘event action filter’ triggers.

A filter that removes all actions from an event effectively consumes the event.

But can I track if an ‘event action filter’ triggers (cli command, debug)?

Johan Kellerman

Re: Track Event Action Filter actions

andrey.dugin — Wed, 13 Jan 2010 13:47:35 GMT

You may use CLI command:

show statistics virtual-sensor | begin SigEvent Action Filter

Output will be as follow:

      SigEvent Action Filter Stage Statistics
         Number of Alerts received to Action Filter Processor = 0
         Number of Alerts where an action was filtered = 591910
         Number of Filter Line matches = 591910
         Number of Filter Line matches causing decreased DenyPercentage = 0
         Actions Filtered
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 7307
            produce-verbose-alert = 584603
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
         Filter Hit Counts
            3 = 92797
            4 = 488830
            5 = 7307
            6 = 2976

Re: Track Event Action Filter actions

johan.kellerman — Thu, 14 Jan 2010 15:25:15 GMT

Thanks!

But how do I know which filter the filternumber refers to?

Filter Hit Counts
            18 = 18
            19 = 7
            4 = 18499
            6 = 8
            7 = 10
            9 = 2

Johan

Re: Track Event Action Filter actions

andrey.dugin — Thu, 14 Jan 2010 15:43:00 GMT

I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:

show configuration | begin filters move

filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee

and can see the order. You may check the dependencies.