I want to search my firewall log for tcp denials from the outside on port 22. So far, I have this:
"deny tcp source outside" /22
That seems to work.
Now, I want to exclude some vulnerability scanners...I'm thinking
"deny tcp source outside" /22 src_ip!=188.8.131.52/24 or 184.108.40.206
Not working so well...any suggestions?
is src_ip an extracted field? if not the above will not work.
If it is, it still wont work, you might want to try
If this is not an extracted field, then you might want to try with:
NOT 220.127.116.11 NOT 64.39.106.024