Track Event Action Filter actions

Answered Question
Jan 13th, 2010
User Badges:

Hi

I would like to track if an ‘event action filter’ triggers.


A filter that removes all actions from an event effectively consumes the event.

But can I track if an ‘event action filter’ triggers (cli command, debug)?

Br

Johan Kellerman

Correct Answer by andrey.dugin about 7 years 4 months ago

I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:


show configuration | begin filters move


filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee


and can see the order. You may check the dependencies.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
andrey.dugin Wed, 01/13/2010 - 05:47
User Badges:
  • Bronze, 100 points or more

You may use CLI command:


show statistics virtual-sensor | begin SigEvent Action Filter


Output will be as follow:


      SigEvent Action Filter Stage Statistics
         Number of Alerts received to Action Filter Processor = 0
         Number of Alerts where an action was filtered = 591910
         Number of Filter Line matches = 591910
         Number of Filter Line matches causing decreased DenyPercentage = 0
         Actions Filtered
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 7307
            produce-verbose-alert = 584603
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
         Filter Hit Counts
            3  = 92797
            4  = 488830
            5  = 7307
            6  = 2976

johan.kellerman Thu, 01/14/2010 - 07:25
User Badges:

Thanks!

But how do I know which filter the filternumber refers to?


Filter Hit Counts
            18  = 18
            19  = 7
            4  = 18499
            6  = 8
            7  = 10
            9  = 2


Br


Johan

Correct Answer
andrey.dugin Thu, 01/14/2010 - 07:43
User Badges:
  • Bronze, 100 points or more

I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:


show configuration | begin filters move


filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee


and can see the order. You may check the dependencies.

Actions

This Discussion