I want to create alert for same Source-ip and same destination-ip but different port

tahseen_fatima · October 10, 2019, 6:12am

Hi,
My use case is.
I am having a log file of Firewall. In this I have a log like this:

Aug 22 2019 13:17:05: %ASA-6-106100: access-list CheckPoint_access_in denied tcp CheckPoint/20.36.219.28(443) -> Intranet-DMZ/10.18.13.85(55460) hit-cnt 1 first hit [0x14fc4bcc, 0x00000000]

This is my parser:

%{SYSLOGTIMESTAMP:timeStamp}: %{DATA:data}: %{DATA:msg}/%{IP:srcIp}(%{NUMBER:srcPort}) -> Intranet-DMZ/%{IP:dstIp}(%{NUMBER:dstPort})%{GREEDYDATA:remain}

From this I have to extract these field source-ip, Destination Ip and destination port.
according to my use case I have to trigger an alert when the source ip and destination ip is same but they have different port trigger alert.

Kindly help.

Topic		Replies	Views
Notify when multiple event soccured in 15 with same srcip,dstip and different dsports Kibana	2	411	April 19, 2018
Detect Horizontal Port Scan Elastic Security	2	3397	June 15, 2021
Elastic watcher, log multiple fields Elasticsearch elastic-stack-alerting	2	517	October 1, 2020
Tunning Watcher Elasticsearch elastic-stack-alerting	6	1505	July 6, 2017
Elasticsearch Query Alert Elasticsearch elastic-stack-alerting	1	343	June 7, 2021

I want to create alert for same Source-ip and same destination-ip but different port

Related topics