01-13-2010 05:13 AM - edited 03-10-2019 04:51 AM
Hi
I would like to track if an ‘event action filter’ triggers.
A filter that removes all actions from an event effectively consumes the event.
But can I track if an ‘event action filter’ triggers (cli command, debug)?
Br
Johan Kellerman
Solved! Go to Solution.
01-14-2010 07:43 AM
I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:
show configuration | begin filters move
filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee
and can see the order. You may check the dependencies.
01-13-2010 05:47 AM
You may use CLI command:
show statistics virtual-sensor | begin SigEvent Action Filter
Output will be as follow:
SigEvent Action Filter Stage Statistics
Number of Alerts received to Action Filter Processor = 0
Number of Alerts where an action was filtered = 591910
Number of Filter Line matches = 591910
Number of Filter Line matches causing decreased DenyPercentage = 0
Actions Filtered
deny-attacker-inline = 0
deny-attacker-victim-pair-inline = 0
deny-attacker-service-pair-inline = 0
deny-connection-inline = 0
deny-packet-inline = 0
modify-packet-inline = 0
log-attacker-packets = 0
log-pair-packets = 0
log-victim-packets = 0
produce-alert = 7307
produce-verbose-alert = 584603
request-block-connection = 0
request-block-host = 0
request-snmp-trap = 0
reset-tcp-connection = 0
request-rate-limit = 0
Filter Hit Counts
3 = 92797
4 = 488830
5 = 7307
6 = 2976
01-14-2010 07:25 AM
Thanks!
But how do I know which filter the filternumber refers to?
Filter Hit Counts
18 = 18
19 = 7
4 = 18499
6 = 8
7 = 10
9 = 2
Br
Johan
01-14-2010 07:43 AM
I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:
show configuration | begin filters move
filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee
and can see the order. You may check the dependencies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide