Tomi Reiman

How to create a "session-aware" IP address / CIDR feed

Discussion created by Tomi Reiman on Jan 31, 2017

Is it possible to create a feed file for log content so that the generated meta data would be based on whether the matched value was found in the source or the destination of the "stream"? I am talking about creating a feed definition file (XML), where the language keys have both the srcname attribute and the destname attribute.

 

I suppose this has been mainly built for packet content, but would it be possible to make it work for log content as well?

 

Attached is my feed definition file. It is not working as it is intended to, as the feed only populates the source variant of the language keys (i.e. vlan.id.src, vlan.name.src, and net.src) - nothing gets populated on the destination side. I assume this is simply because the source side is mentioned first in the file in all of the places.

 

What I am effectively trying to do here is to avoid the need to create separate but identical feeds for e.g. populating subnet information for both source and destination addresses, or having to create multiple application rules to achieve this.

Attachments

Outcomes