Are you referring to the gen_reports -r netprobes report?

Any packet that comes in on an unopened port shows up there, I use it
all the time.

As for denials, you can use "showaudit -ak" for live time reporting
of Denials or "showaudit -a" for listings from the audit file itself.

There is also acat -ae 'type AUDIT_T_ACLDENY" /var/log/audit.raw

RS


--- In sidewinder-users@yahoogroups.com, "Justin" <ljs442@...> wrote:
>
> All,
>
> We're wanting something that will actively watch allows/denys on
> FILTER RULES (we can do this with proxies) or ports/protocols that
> have no rule at all. Being an ex Gauntlet guy I'll give an example
of
> what we're used to seeing and are looking for......
>
> Gauntlet example of a "generic deny" (i.e. no proxy or anything for
> this port)
>
>
> Jun 14 18:54:19 sidewinder.domain.com gfw: [ID 702911 kern.info]
> securityalert: tcp if=qfe0 from x.x.x.x:4552 to x.x.x.x on unserved
> port 135
>
> This would be an example of a host trying to hit tcp port 135 and
> there is no allow rule whatsoever.
>
> It seems Sidewinder has all this crazy information they log, instead
> of just "x tried to go to y on this port, at this time" and raised
and
> alert.
>
> Also....we know you can actively watch allows or denys on Proxy/ACL
> Rules.....but what about watching active allows or denys on IP
Filter
> rules?
>
> So basically....how can we watch the logs...say for instance a host
> trying to come from an external source trying to come to a host
inside
> the firewall and see something like above (again not caring about
> created proxies)? Live not in a file of course.
>
> So I can watch x.x.x.x trying to get to host x.x.x.x on port x.
>
> Gauntlet you could say tail -f /var/log/messages | egrep
> "security|alert|deny|denied" | egrep x.x.x.x for the host....anyone
> have any G2 suggestions?
>
> Thanks!
>
> Justin
>
>
>
>
>
>
> ACL's we've pretty much gotten down.
>