Grok pattern for snort alerts

HI everyone,

Need help constructing grok pattern for the snort alert log file. I have the so far, but the output is incomplete -



why are the fields from priority onwards not extracted?
Help would be appreciated.
Thanks in advance

Please do not post pictures of text, they cannot be searched, and we cannot copy and paste them to try to reproduce and diagnose the issue.

My apologies. These are my sample log messages-

05/25-12:03:17.905976  [**] [1:100001:1] ICMP Ping Detected [**] [Priority: 0] {IPV6-ICMP} fe80::20c:29ff:feba:be38 -> ff02::1
05/25-12:03:17.914533  [**] [1:100001:1] ICMP Ping Detected [**] [Classification: a i l] [Priority: 0] {IPV6-ICMP} fe80::20c:29ff:feca:579 -> ff02::16

ANd this is the pattern that works for the @nd entre but not the first one.

%{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}\s+\[\*\*\] \[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}\]\s+%{DATA:ids_proto}\s+\[\*\*\] \[.*?: %{DATA:Classification}\] \[.*?: %{INT:Priority}\] \{%{DATA:data}} %{IP:dst_ip} .*?> %{IP:dest_port}

It is due to the presence of the field "classification". how do I get it to work for both?

You can make a field (and related whitespace) option by surrounding them with ()?, which means zero-or-more-of.

grok { match => { "message" => "%{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}\s+\[\*\*\] \[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}\]\s+%{DATA:ids_proto}\s+\[\*\*\] (\[.*?: %{DATA:Classification}\] )?\[.*?: %{INT:Priority}\] \{%{DATA:data}} %{IP:dst_ip} .*?> %{IP:dest_port}" } }

If there are more variants then you might want to take an alternate approach. Perhaps something like this.

This works. Thank you so much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.