I need to review and analyze connections which are maintained over a certain time period. I cannot get this in a legible format from the PIX/ASA directly during the activity with scalability, so the best I think I can do is look at it after the fact.

So what I have are the teardown messages from the PIX/ASA products in our MARS appliance.

Messages which have this info are like these 302016 and 302014.

May 29 2009 10:43:37: %PIX-6-302014: Teardown TCP connection 543470 for outside:1.2.3.4/3136 to inside:7.8.9.10/80 duration 0:02:04 bytes 1121 TCP FINs

May 29 2009 10:43:33: %PIX-6-302016: Teardown UDP connection 543463 for outside:1.2.3.4/1079 to inside:7.8.9.10/80 duration 0:02:01 bytes 454

Note: Addresses and/or ports listed above may have been changed.

Sometimes we have TCP and UDP connections which last for days. I have no real good way to report on the lengthy ones. Yet.

Can MARS analyze the PIX/ASA 302016 and 302014 messages for values after the “duration” string which may be greater than say 10 hours and create an event, another event for durations greater than say 5 days? Can some be created into low incidents?

If so, can you give me the keywords necessary to look this up in the MARS manuals myself? Also, I am not a coder/scripter and if good regex ability is needed, if you know of a good self help tutorial on the web you can refer me to, that would be good as well.

Thanks.