Track Event Action Filter actions

Answered Question
Jan 13th, 2010

Hi

I would like to track if an ‘event action filter’ triggers.

A filter that removes all actions from an event effectively consumes the event.

But can I track if an ‘event action filter’ triggers (cli command, debug)?

Br

Johan Kellerman

I have this problem too.
0 votes
Correct Answer by andrey.dugin about 7 years 1 week ago

I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:

show configuration | begin filters move


filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee

and can see the order. You may check the dependencies.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
andrey.dugin Wed, 01/13/2010 - 05:47

You may use CLI command:

show statistics virtual-sensor | begin SigEvent Action Filter

Output will be as follow:

      SigEvent Action Filter Stage Statistics
         Number of Alerts received to Action Filter Processor = 0
         Number of Alerts where an action was filtered = 591910
         Number of Filter Line matches = 591910
         Number of Filter Line matches causing decreased DenyPercentage = 0
         Actions Filtered
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 7307
            produce-verbose-alert = 584603
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
         Filter Hit Counts
            3  = 92797
            4  = 488830
            5  = 7307
            6  = 2976

johan.kellerman Thu, 01/14/2010 - 07:25

Thanks!

But how do I know which filter the filternumber refers to?

Filter Hit Counts
            18  = 18
            19  = 7
            4  = 18499
            6  = 8
            7  = 10
            9  = 2

Br

Johan

Correct Answer
andrey.dugin Thu, 01/14/2010 - 07:43

I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:

show configuration | begin filters move


filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee

and can see the order. You may check the dependencies.

Actions

This Discussion