I think this should be within my grasp, but I don't seem to be able to create a search that returns what I'm looking for.
I'm trying to return from syslog any IP address that hits a specific port (say 12345), but *also* attempts connecting to any other ports, other than 12345. In my scenario, a well-behaved host should connect exclusively to port 12345, and nothing else.
What I'm coming up with either returns no results, or only results matching DPT=12345; nothing in between.
Thanks
↧