topic Re: Firewall Services Search in Getting Data In

Firewall Services Search

gharpe2 — Sun, 27 Nov 2011 18:00:59 GMT

Need a search to list the top 25 non-http and non-https services people are connecting to through my ASA. Does anyone have a search for that? I would like to list the port, protocol and number of times connections were made.

Thanks,
glh

Re: Firewall Services Search

kristian_kolb — Sun, 27 Nov 2011 20:11:21 GMT

Hi,

Please provide a few samples events from your log.

And also, please delete your duplicate forum post "Firewall Traffic".

/kristian

Re: Firewall Services Search

gharpe2 — Mon, 28 Nov 2011 15:37:53 GMT

Sample Events:

9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106001: Inbound TCP connection denied from 10.223.7.21/2999 to 109.13.183.81/445 flags SYN on interface inside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

2 11/28/11
9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106006: Deny inbound UDP from 62.192.232.25/54657 to 63.78.74.228/35731 on interface outside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

3 11/28/11
9:36:33.000 AM

Nov 28 09:36:33 10.10.0.253 Nov 28 2011 10:36:33: %ASA-2-106001: Inbound TCP connection denied from 10.222.7.13/3954 to 109.21.83.57/445 flags SYN on interface inside

host=10.10.0.253   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

Re: Firewall Services Search

kristian_kolb — Mon, 28 Nov 2011 20:46:00 GMT

Hi, while I do not completely understand your post, I can give the following example of a search , assuming that you have the following fields extracted (either manually or automatically)

destination port :dst_port;
protocol: proto

<your_source/sourcetype> dst_port!="80" dst_port!="443" | stats count by dst_port proto | sort - count | head 25

hope this helps,

Kristian