I think this should be within my grasp, but I don't seem to be able to create a search that returns what I'm looking for.
I'm trying to return from syslog any IP address that hits a specific port (say 12345), but *also* attempts connecting to any other ports other than 12345. In my scenario, a well-behaved host should exclusively connect to port 12345 and nothing else.
What I'm coming up with either returns no results or only results matching DPT=12345; it does not return anything in between.
Thanks
↧