Constructing Queries: Queries are constructed in the Events Query Pane and the results are displayed in the Display Pane. To access the Events Query Pane, click the Events button on the Toolbar and then click Events in the Navigation pane. To display the Events screen, click the Events button on the Toolbar.
Network Criteria: The SMS can perform search queries based on single, multiple, or ranges of source and destination addresses and ports. In the source (Src Port) and destination (Dest Port), you can enter a range that uses a dash and multiple ports by separating with commas (,). To enhance searches, you can enter both types of parameters in the port field. For example, to display events that had a source port of 22, 25, or between 1000 and 32000, you would enter "22,25,1000-32000". IP address fields support single entries or CIDR blocks.
|Network Criteria Query Pane Fields|
|Addresses & Ports||Enables you to enter criteria for searching and displaying events. These options include the following:|
-Src Addr - Source IP address
-Src Port - Port of the source IP address
-Dst Addr - Destination IP address
-Dst Port - Port of the destination IP address
|Packet Trace||Indicates if the query should locate action sets with packet trace enabled:|
-Events with Packet Trace
-Events without Packet Trace
|VLAN ID||Enables you to enter criteria for searching and displaying events based on VLAN ID.|
- Log in to the SMS from a client.
- On the top Navigation menu click Events.
- On the Events screen, click Inspection Events in the Navigation pane.
- On the Query pane, select the triangle symbol (▶) next to Network Criteria to expand this option.
- In the Addresses and Ports area, enter:
- Src Addr(s) - Source IP address
- Src Port(s) - Port of the source IP address
- Dst Addr(s) - Destination IP address
- Dst Port(s) - Port of the destination IP address
- When searching for source or destination IP addresses, you can:
- Enter multiple IP address separated by commas.
- Enter one address or a CIDR block.
- Exclude IP addresses in a CIDR block by using the "!"symbol.
- Select the desired entry from the Packet Trace drop-down listings.
- If you want to include a VLAN ID in your search query, In the VLAN area, enter the ID in the VLAN area.
- Enter the number of matching rows (1 - 10,000) to list in the Display Pane. Limiting the number of row may decrease the query processing time.
- Click Refresh. The returned attack events display in the List pane.
- To save this query, click Save As. Enter a name for the query when prompted. The query displays in the Saved Queries section of the Events Navigation pane. To create a new query, click Clear. The query pane resets and clears the criteria fields.
Note: You are not required to complete all query fields. Complete only as many as you need to successfully execute your query.
Reference: SMS User Guide