Trying to Parse FW attack messages that have random session counts

Hi,
we’ve FW attack messages has the following forms, the difference is the Number of Attack sessions per message,

Example for message has 1 session:

2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.

Example for message has 3 sessions:

2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1; sIP2:sPort2->dIP2:dPort2; sIP3:sPort3->dIP3:dPort3” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.

Example for message has 5 sessions:

2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1; sIP2:sPort2->dIP2:dPort2; sIP3:sPort3->dIP3:dPort3; sIP4:sPort4->dIP4:dPort4; sIP5:sPort5->dIP5:dPort5” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.

note: i replace manually the real IPs with “sIP#” and real FW_Name with “FirewallName”

As mentioned in the previous samples, the difference is only in sessions count within same message, noting that the session counts per message ranges between 1 and 12 sessions for the same input message.

what i need is:
how can I extract sourceIPs of all sessions from each message to be listed in one attribute “IP_From” and same for “IP_To”, “Port_From” and “Port_To”

in other words, i guess it needs some splitting mechanism to introduce one message per one session and then to apply related extractor.

appreciate your support and ready for any other explanation :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.