RSA Admin

SQL query for outbound traffic

Discussion created by RSA Admin Employee on Sep 14, 2010
Latest reply on Sep 15, 2010 by RSA Admin

Hello,

 

I'm trying to write an SQL query to monitor any outbound connections on defined ports, and exclude connections made to internal IPs.  So far, I have:

 

DeviceAddress in (select paddr from device_list where dtype=77) AND
DestinationPort IN (135, 137, 138, 139, 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6667, 6668, 6669)
AND
(DestinationAddress NOT LIKE ('10.%') OR
DestinationAddress NOT LIKE ('192.%'))

 

Destination ports are filtering correctly, however destination addresses 10.X and 192.X are still visible.  Suggestions?

Outcomes