Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
George_Ellis
Advisor

CLI Suspicious Activity Monitor for a port?

Does anyone have an example of the syntax to block a port using the fw sam command?

I use  these already.

 

Block src or dst of 94.242.249.67

fw sam -v -l long_noalert -J any 94.242.249.67

 

block any src/dst for 185.154.52.0/24

fw sam -v -l long_noalert -J subany 185.154.52.0 255.255.255.0

 

Cancel a block for a subnet 46.244.10.0/26

fw sam -v -C -J subany 46.244.10.0 255.255.255.192

 

 

 

My best guess is to block port udp/11211

 

fw sam -v -J dstpr any udp/11211

I am willing to bet that that is not right..  Anyone blocked a UDP port before?

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend

Did you consult sk112061 How to create and view Suspicious Activity Monitoring (SAM) Rules ? It is a good addition to the Command Line Interface Reference Guide.

CCSE CCTE CCSM SMB Specialist
0 Kudos
George_Ellis
Advisor

I sure did.  Thanks.

0 Kudos
George_Ellis
Advisor

Mario Cantu has been trying to find the right combination.  It appears to be this format.  From Mario yesterday:

fw sam -f localhost -t 3600 -I srvpr 161 UDP

This is for a rule that will last 3600 seconds, service UDP and port 161

0 Kudos
PhoneBoy
Admin
Admin

I would recommend using fw samp instead of fw sam.

fw samp is SecureXL friendly, whereas fw sam is not. 

More details about the mechanism here: How to configure Rate Limiting rules for DoS Mitigation 

I believe the correct command line to achieve this is (assuming you want to block UDP port 11211 on any IP):

fw samp add -t 3600 -a d -r 17 -p 11211

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events