Hi,
I have my suricata in pfsense sending the alerts using barnyard in COMPLETE mode to my greylog server.
Example message:
| [SNORTIDS[ALERT]: [pfsense.local] ] || 2022-10-06 19:13:55.186+001 2 [1:2403344:77870] ET CINS Active Threat Intelligence Poor Reputation IP group 45 || misc-attack || 6 45.95.147.51 192.168.54.100 || 59856 443 ||
|
I tried with this expression:
\| \[%{DATA:ids}[%{DATA:UNWANTED}\]: \[%{HOSTNAME:ids_host}\] \] \|| %{DATE:date} %{TIME:time}.%{NUMBER:UNWANTED}+%{NUMBER:UNWANTED} %{NUMBER:priority} \[%{NUMBER:UNWANTED}:%{NUMBER:UNWANTED}:%{NUMBER:UNWANTED}\] %{DATA:description} \|| %{DATA:classification} \|| %{NUMBER:protocol} %{IP:src_ip} %{IP:dst_ip} \|| %{NUMBER:src_port} %{NUMBER:dst_port} \||
\|
But i only get this as result:
ids
SNORTIDS
ids_host
pfsense.local
Those double pipes seem to be the problem, as anyone has any idea how to work those double pipes (||)?