Dec-05-2019, 09:16 AM
Hi coders,
I have a file stores alerts, and it only stores alerts generated today, alerts before today have been archived to another files with datastamp.
In this file, one line has one alert. First I need to find alert type A, commands like grep will give me a lot of rows which belongs to type A.
Then I need to find if it has a string named "srcip", if not, I just move on to look a new row, if this row has a string named "srcip", then I need to search string "srcport" and "dstip", and store these three variables.
Now I need to search alerts type B, type B also have a lot of rows, but there is a field called "timestamp", type A's "timestamp" should be a few seconds apart type B's, and if the time apart too much, it's not the same, which shouldn't be correlated.
If A's srcip and srcport and dstip is same with type B's, then it's a bingo, and I need to extract "dstport" from type B alert.
The main question I don't know is how to know which rows have already been processed, and only search for the new rows?
I have a file stores alerts, and it only stores alerts generated today, alerts before today have been archived to another files with datastamp.
In this file, one line has one alert. First I need to find alert type A, commands like grep will give me a lot of rows which belongs to type A.
Then I need to find if it has a string named "srcip", if not, I just move on to look a new row, if this row has a string named "srcip", then I need to search string "srcport" and "dstip", and store these three variables.
Now I need to search alerts type B, type B also have a lot of rows, but there is a field called "timestamp", type A's "timestamp" should be a few seconds apart type B's, and if the time apart too much, it's not the same, which shouldn't be correlated.
If A's srcip and srcport and dstip is same with type B's, then it's a bingo, and I need to extract "dstport" from type B alert.
The main question I don't know is how to know which rows have already been processed, and only search for the new rows?