Skip to content

Arkoon

Description

Constructor: Arkoon

Product: Firewall

Log type(s): FW, IDS

Theoretical injector performance

14318 EPS

Log sample

1
IP-Logs: AKLOG - id=firewall time="2017-04-24 13:50:01" gmtime=1493034601 fw=AA-BB-C-1.corp pri=6 aktype=IP ip_log_type=ENDCONN src=1.1.12.29 dst=1.1.68.110 proto="domain" protocol=17 port_src=57551 port_dest=53 intf_in= intf_out= nat=NO snat_addr=0 snat_port=0 dnat_addr=0 dnat_port=0 sent=143 rcvd=40 end_reason="End of connection"
1
IP-Logs: AKLOG - id=firewall time="2015-11-17 10:43:29" gmtime=1447753409 fw=firewall01p.group pri=6 aktype=IP ip_log_type=ENDCONN src=10.0.0.1 dst=100.1.0.1 proto="https" protocol=6 port_src=42 port_dest=43 intf_in= intf_out= nat=HIDE snat_addr=192.0.0.1 snat_port=31 dnat_addr=0 dnat_port=0 sent=534 rcvd=4299 end_reason="Closed by Client"
1
Alerts: AKLOG - id=firewall time="2015-11-17 10:46:02" gmtime=1447753562 pri=2 fw=firewall02.group aktype=ALERT alert_type="Blocked by filter" user="" alert_level="Medium" alert_desc="PROTO:112 from 10.0.0.1 to 100.0.0.1 [Default deny on input]"
1
Alerts: AKLOG - id=firewall time="2015-11-17 10:45:58" gmtime=1447753558 pri=2 fw=firewall01p.group aktype=ALERT alert_type="Unsequenced packet" user="" alert_level="Medium" alert_desc="Unsequenced TCP packet from 10.0.0.1:20 to 100.0.0.1:42"

Parsing strategy

  1. Check and remove the log type (e.g: \'IP-Logs: \')
  2. Check and remove the header \'AKLOG - \'
  3. Apply the key-value operator to the main log payload
  4. Remove useless KV fields (such as empty ones or containing the value )
  5. Do the binding to normalized fields