Hi, I Really need your support,
we’ve FW attack messages has the following forms, the difference is the Number of Attack sessions per message,
Example for message has 1 session:
2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.
Example for message has 3 sessions:
2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1; sIP2:sPort2->dIP2:dPort2; sIP3:sPort3->dIP3:dPort3” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.
Example for message has 5 sessions:
2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1; sIP2:sPort2->dIP2:dPort2; sIP3:sPort3->dIP3:dPort3; sIP4:sPort4->dIP4:dPort4; sIP5:sPort5->dIP5:dPort5” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.
note: i replaced manually the real IPs with “sIP#” and real FW_Name with “FirewallName”
As mentioned in the previous samples, the difference is only in sessions count within same message, noting that the session counts per message ranges between 1 and 12 sessions for the same input message.
what i need is:
how can I extract sourceIPs of all sessions from each message to be listed in one attribute “IP_From” and same for “IP_To”, “Port_From” and “Port_To”
in other words, i guess it needs some splitting mechanism to introduce one message per one session and then to apply related extractor.
appreciate your support and ready for any other explanation