Contains and Drop all other messages

Hi All,

I’m looking for a quick pointer (struggling to find an example) of a pipeline rule which will keep any received message which contains the string “NAT Mapping” and drop everything else.

I have used extractors to sort messages (example below) and have the field “msg”

id=firewall sn=C0EAEXXXXXX time=“2019-10-22 11:52:53” fw=XXX.XXX.XXX.X pri=5 c=0 m=1197 msg=“NAT Mapping” n=6546585 src=192.168.XXX.41:44460:X4-V130 dst=XX;XXX:XXX:X:8736:X1 proto=udp/1813 note=“Source: XX:XXX:XXX:XXX, 31733, Destination: XXX:XX:XX:XX, 1813, Protocol: 17” rule=“286 (Managed->WAN)” fw_action=“NA”

Not sure if i’m anywhere near on the right track here but think i want the inverse of the rule below…

rule “Drop NAT Mapping”
when
contains(to_string($message.msg), “NAT Mapping”, true)
then
drop_message();
end

Any help would be greatly appreciated.

Regards

Mark

Hi Mark,

You can invert your example rule by adding in the ‘NOT’ keyword as shown below:

rule “Drop non-NAT Mapping”
when
    NOT contains(to_string($message.msg), “NAT Mapping”, true)
then
    drop_message();
end

Hi,

I have added the rule as suggested but when i run the simulator anything I input into the “Raw Message” but result in “not stored”.

As far as I can see “msg” is a valid field and shows in “search” with the value of “NAT Mapping” quite often.

Would someone be able to clarify what this part of the rule means “$message.msg” I’m struggling with the syntax and wonder if the rule is looking in the wrong place?

Many thanks

Mark

$message is the variable which stores the message object, $message.msg is the msg field of the message.

what is your processing order in System > Configuration ? the way you wanted to have it work the processing pipeline should be below the Message Filter Chain.

Hi All,

Apologies for the late response I was caught up on another project last week. Thanks for your responses Ponet and Jan.

So it would appear that my understanding of the $message.msg object/field was correct (thanks).

Also I have changed my processing order but still receive a “not stored” result from the pipeline simulator (output below). Current order is Geoip > Message chain filter > Pipeline Processor.

ea25ad41-f96d-11e9-9aff-000c29f6e1c5 Not stored
Timestamp
2019-10-28 10:30:08.660
Stored in index
Message is not stored

message

id=firewall sn=C0EAE49BB3DE time=“2019-10-22 16:20:59” fw=X.X.X.X pri=5 c=0 m=1197 msg=“NAT Mapping” n=6628269 src=X.X.X.X:46059:X4-V110 dst=X.X.X.X:1813:X1 proto=udp/1813 note=“Source: X.X.X.X, 7938, Destination: X.X.X.X, 1813, Protocol: 17” rule=“286 (EC_Managed_Zone->WAN)” fw_action=“NA”

My pipeline rule is as follows:

rule “Drop all but Rule”
when
NOT contains(to_string($message.msg), “NAT Mapping”, false)
then
drop_message();
end

This is the only pipeline/rule I have so don’t nothing else should be impacting the result. As is often the case with issues such as this i’m sure its something silly resulting my a lack of knowledge/experience with the product. Is there anything glaringly obvious wrong with the above rule?

Many thanks

Mark

so the simulator writes that the message is not stored, but actually it is stored?

Sorry, yes that does seem to be the case…I had started using the simulator as a basis to test if the rule was working or not. Looking at the data it seems it started working once I changed the processing order. It would seem what I now need to research is where i am going wrong with the simulator…

Thanks for your suggestions/patience everyone

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.