Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
3
Replies

Track Event Action Filter actions

Go to solution
johan.kellerman
Level 1
Level 1

‎01-13-2010 05:13 AM - edited ‎03-10-2019 04:51 AM

Hi

I would like to track if an ‘event action filter’ triggers.

A filter that removes all actions from an event effectively consumes the event.

But can I track if an ‘event action filter’ triggers (cli command, debug)?

Br

Johan Kellerman

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrey.dugin
Level 1
Level 1
In response to johan.kellerman

‎01-14-2010 07:43 AM

I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:

show configuration | begin filters move


filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee

and can see the order. You may check the dependencies.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
andrey.dugin
Level 1
Level 1

‎01-13-2010 05:47 AM

You may use CLI command:

show statistics virtual-sensor | begin SigEvent Action Filter

Output will be as follow:

      SigEvent Action Filter Stage Statistics
         Number of Alerts received to Action Filter Processor = 0
         Number of Alerts where an action was filtered = 591910
         Number of Filter Line matches = 591910
         Number of Filter Line matches causing decreased DenyPercentage = 0
         Actions Filtered
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 7307
            produce-verbose-alert = 584603
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
         Filter Hit Counts
            3  = 92797
            4  = 488830
            5  = 7307
            6  = 2976

0 Helpful

Go to solution
johan.kellerman
Level 1
Level 1
In response to andrey.dugin

‎01-14-2010 07:25 AM

Thanks!

But how do I know which filter the filternumber refers to?

Filter Hit Counts
            18  = 18
            19  = 7
            4  = 18499
            6  = 8
            7  = 10
            9  = 2

Br

Johan

0 Helpful

Go to solution
andrey.dugin
Level 1
Level 1
In response to johan.kellerman

‎01-14-2010 07:43 AM

I am not sure up to 100% but I think that it is the number of filter in set. You may understand the sequence by command:

show configuration | begin filters move


filters move aaa begin
filters move bbb after aaa
filters move ccc after bbb
filters move ddd after ccc
filters move eee after ddd
filters move fff after eee

and can see the order. You may check the dependencies.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card