Parsing FW attack messages that have random session counts

Hi, I Really need your support,
we’ve FW attack messages has the following forms, the difference is the Number of Attack sessions per message,

Example for message has 1 session:

2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.

Example for message has 3 sessions:

2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1; sIP2:sPort2->dIP2:dPort2; sIP3:sPort3->dIP3:dPort3” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.

Example for message has 5 sessions:

2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1; sIP2:sPort2->dIP2:dPort2; sIP3:sPort3->dIP3:dPort3; sIP4:sPort4->dIP4:dPort4; sIP5:sPort5->dIP5:dPort5” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.

note: i replaced manually the real IPs with “sIP#” and real FW_Name with “FirewallName”

As mentioned in the previous samples, the difference is only in sessions count within same message, noting that the session counts per message ranges between 1 and 12 sessions for the same input message.

what i need is:
how can I extract sourceIPs of all sessions from each message to be listed in one attribute “IP_From” and same for “IP_To”, “Port_From” and “Port_To”

in other words, i guess it needs some splitting mechanism to introduce one message per one session and then to apply related extractor.

appreciate your support and ready for any other explanation :slight_smile:

I would like to point out that it is not nice to poist the same question twice:

it does not look that a person can help you currently.

I personal would first use a key-value on like:

key_value(value: to_string(message), trim_value_chars: "\"", trim_key_chars:"\"", delimiters:", ", kv_delimiters:"=");

After that you need to define if all sIP should be as array in IP_From or if you want to have numbered fields for that and work some kind of grouped regex that does what you like to have.

sorry for this duplication but the old post is closed automatically without answer…

yes, it seems my needs is closed to array solution as i want all sIP’s to be listed in same field “IP_From”, but what does “Array” mean…? and in this case, can i map “IP_From” field with geo-map lookup data “coordinates and other geo-attributes”…?

can you explain more please.

If you want to have all sIP in IP_From you will have something like IP_From:111.111.111.111,222.222.222.222,333.333.333.333. That is a list, or array of values in one filed.

You can with the processing Pipelines now add geo attributes, but you would need todo process that for each single IP what makes it very very complex. In addition when you have a an array of multipe GEO Information on one field - how did you act on that? Do you like something like IP_From_country:DE,NONE,US same for longitute and latitue - at least in Graylog you can’t work with that in a meaningful way.

You want that information to be in one field available only. Your goal is to have

IP_From_1:111.111.111.111
IP_From_1_country:DE
IP_From_1_geo:

IP_From_2:222.222.222.222
IP_From_2_country:NONE
IP_From_2_geo:

IP_From_3:333.333.333.333
IP_From_2_country:US
IP_From_2_geo:

That you are able to work with the enriched information.

so the only available way is to have multiple fields of sIP’s comes with same message “IP_From_1, IP_From_2, and so on…”==> “IP_From_Coordinates_1, IP_From_Coordinates_2, and so on…”

in this manner, can i draw the data within these fields in one geo-map…? as it’s not meaningful to draw multiple geo_map for each coordination field.


another question please,
can graylog support a splitting stage before the message is being parsed with an appropriate GROK pattern.

Example:

Original message has 3 sessions:

2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1; sIP2:sPort2->dIP2:dPort2; sIP3:sPort3->dIP3:dPort3” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.

splitting into 3 message but each one has only one session:
1st:

2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.

2nd:

2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP2:sPort2->dIP2:dPort2” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.

3rd:

2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP3:sPort3->dIP3:dPort3” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.

then i can solve the mapping with geo-data in very easy way.

with the processing pipeline it might be possible to accomplish that.

But to be honest - that I build that for you is not very likely as this is what we earn money with. Support and high customizations…

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.