I created a rule in SL4NT to look for specific info received from a PIX syslog.

I syntexed the substring message as follows
10.1.1.1|10.2.4.3|10.10.1.15|10.4.3.2|10.5.3.4|10.11.3.2|10.20.10.10

I left the regular expression box checked. I am to receive an email on the above

Problem I am having is that I receive emails from SL4NT that contain IP addresses not in the substring. Below is a sample of an email that I receive. As you can see the IP addresses listed in the email are not part of the substring. Does anybody have any ideas on why SL4NT may be doing this to me. The SL4NT is quite busy receiving a lot of syslog traffic from other devices.


7/14/2009
1:43:52 AM
Jul 14 2009 00:58:49: %FWSM-3-106100: access-list out2in permitted icmp
outside/10.15.16.1(0) -> inside/214.1.124.242(11) hit-cnt 192
(300-second interval) [0x941ea73, 0x0]

You need to escape the dot characters because in a regex a dot character matches any character:

10\.1\.1\.1|10\.2\.4\.3|10\.10\.1\.15|10\.4\.3\.2|10\.5\.3\.4|10\.11\.3\.2|10\.20\.10\.10

-Franz

why would the ;~ not work for this situation

>why would the ;~ not work for this situation

Because the documentation says:

If the Regular Expression check box is not selected, this field can contain one or more substrings. Substrings must be separated by a ; (semicolon). Spaces are considered as being part of the substring. A substring can be prefixed by a ~ (tilde). The condition is evaluated to true if all substrings without the prefix ~ and none of the substrings with the prefix ~ are contained in the message text of the syslog message.

This means that if you don't use regex (e.g. 10.1.1.1;10.2.4.3;10.10.1.15;10.4.3.2;10.5.3.4;10.11.3.2;10.20.10.10), ALL addresses must be contained in the message text to constitute a match (which isn't the case in your scenario). Using the ~ character as prefix means that the rule matches only if the following string DOESN'T contain the following substring, which isn't what you intend, too.

-Franz