First, enter your exclusion for ALL source addresses:
RecordOfExcludedPattern 1234 * * *
This excludes ALL sub signatures of signature '1234' from ALL sources to ALL destinations.
Next, add back the source that you want to alarm:
RecordOfIncludedPattern 1234 * 10.20.1.1 *
This includes all sub-sigs of signature 1234 originating from IP '10.20.1.1' to any destination.
RecordOfIncludedPattern 1234 * 10.20.1.1 IN
( If you only want it to fire when the destination is a protected asset )
Exclusions and Inclusions are processed based on the following rules:
All signatures have implied inclusion for all sources and all destinations by default.
ExcludedPatterns allow you to filter some signatures btwn specific sources/destinations.
IncludedPatterns are used to express exceptions to your expressed ExcludedPatterns. They can be considered as convenience patterns to simplify exclusions and are intended for exactly the situation you describe.
Simply put, an alarm will fire if it is not excluded or if it is included.
fire = ( !Excluded || Included )
Ordering on the Excluded/Included patterns makes no difference ...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...