CLI Suspicious Activity Monitor for a port?

George_Ellis · ‎2018-03-01

Does anyone have an example of the syntax to block a port using the fw sam command?

I use these already.

Block src or dst of 94.242.249.67

fw sam -v -l long_noalert -J any 94.242.249.67

block any src/dst for 185.154.52.0/24

fw sam -v -l long_noalert -J subany 185.154.52.0 255.255.255.0

Cancel a block for a subnet 46.244.10.0/26

fw sam -v -C -J subany 46.244.10.0 255.255.255.192

My best guess is to block port udp/11211

fw sam -v -J dstpr any udp/11211

I am willing to bet that that is not right.. Anyone blocked a UDP port before?

G_W_Albrecht · ‎2018-03-02

Did you consult sk112061 How to create and view Suspicious Activity Monitoring (SAM) Rules ? It is a good addition to the Command Line Interface Reference Guide.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

George_Ellis · ‎2018-03-02

I sure did. Thanks.

George_Ellis · ‎2018-03-22

Mario Cantu has been trying to find the right combination. It appears to be this format. From Mario yesterday:

fw sam -f localhost -t 3600 -I srvpr 161 UDP

This is for a rule that will last 3600 seconds, service UDP and port 161

PhoneBoy · ‎2018-03-22

I would recommend using fw samp instead of fw sam.

fw samp is SecureXL friendly, whereas fw sam is not.

I believe the correct command line to achieve this is (assuming you want to block UDP port 11211 on any IP):

fw samp add -t 3600 -a d -r 17 -p 11211

Are you a member of CheckMates?