![]() ![]() Setup lookup ("| eval search" is a leftover from the second part, nice to see what it's doing though): | makeresults count=100 I won't know if I need to call lookup on src_ip, dest_ip, app, or any other fields, because not every field in the lookup table will have a value. That means I can't call |lookup myBlacklist.csv src_ip dest_ip app OUTPUTNEW ruleName. I don't think I can use lookup here, because sometimes I will match on src_ip and dest_ip, sometimes dest_ip and app, sometimes just src_ip, and any number of other permutations. I don't know exactly what fields will match, and I want to have many different rules. I want to end up having something along the lines of |eval usecase="Blacklisted Traffic - $ruleName$" in my search (I am comfortable with including that variable in the eval statement, no help needed there!) My problem: I want to return the value of "ruleName" - if I match traffic between 1.2.3.4 and 5.6.7.8, I want there to be a new field named ruleName, the point being to tell me which rule the traffic matched. I do not have a field named ruleName in my original dataset. 1.2.3.4 talking to 5.6.7.8 regardless of app will trigger, 5.6.7.8 with app=foo will trigger. Any traffic matching these blacklist rules will have results returned. Hello, I am trying to form a blacklist for firewall traffic using inputlookup on a CSV, where my data will match an unknown set of fields as so: TL DR: I want to match rules from a lookup and output which rule was matched, using different sets of fields/values ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |