A short tip today.
Here is a quick way to filer out in your logs packets that were never established (e.g. syn, but no syn/ack.)
(bytes_received geq 1) and (bytes_sent geq 1)
Of course if you are only getting a syn and not a syn/ack, the IP should probably be closed off all together, but you may have some situations where this is to be expected.
0 Comments.