Hello,
I would like to obtain a complete list of all connection.
for exemple :
SRC | DST |PORT
a.a.a.a | z.z.z.z | tcp 22
| x.x.x.x | tcp 8080
b.b.b.b | x.x.x.x | tcp 80
...
For that, I've made two search, one for list all src IP and the second for the dst IP :
source="toto.log"
| rex max_match=100 "\binside:(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"
| stats values(ip) as ip_list
source="toto.log" inside:X.X.X.X
| rex max_match=100 "\boutside:(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"
| stats values(ip) as ip_list
But I don't know how do a sub-search to have a result like I've explain.
My log look like:
Aug 1 00:00:09 x.x.x.x %FWSM-4-106023: Deny udp src inside:x.x.x.x/50464 dst outside:x.x.x.x/53 by access-group "inside_access_in" [0x0, 0x0]
Can I do what I want ? If yes, how ? And Is it the best way to obtain the result ?
Thanks for reading.