I want to search my firewall log for tcp denials from the outside on port 22. So far, I have this:
"deny tcp source outside" /22
That seems to work.
Now, I want to exclude some vulnerability scanners...I'm thinking
"deny tcp source outside" /22 src_ip!=64.39.106.0/24 or 216.93.24.244
Not working so well...any suggestions?
is src_ip an extracted field? if not the above will not work.
If it is, it still wont work, you might want to try
src_ip!="64.39.106.024" src_ip!=216.93.24.244
If this is not an extracted field, then you might want to try with:
NOT 216.93.24.244 NOT 64.39.106.024