Grok pattern for suricata/barnyard alert in COMPLETE mode

Hi,

I have my suricata in pfsense sending the alerts using barnyard in COMPLETE mode to my greylog server.

Example message:

| [SNORTIDS[ALERT]: [pfsense.local] ] || 2022-10-06 19:13:55.186+001 2 [1:2403344:77870] ET CINS Active Threat Intelligence Poor Reputation IP group 45 || misc-attack || 6 45.95.147.51 192.168.54.100 || 59856 443 ||
|

I tried with this expression:

\| \[%{DATA:ids}[%{DATA:UNWANTED}\]: \[%{HOSTNAME:ids_host}\] \] \|| %{DATE:date} %{TIME:time}.%{NUMBER:UNWANTED}+%{NUMBER:UNWANTED} %{NUMBER:priority} \[%{NUMBER:UNWANTED}:%{NUMBER:UNWANTED}:%{NUMBER:UNWANTED}\] %{DATA:description} \|| %{DATA:classification} \|| %{NUMBER:protocol} %{IP:src_ip} %{IP:dst_ip} \|| %{NUMBER:src_port} %{NUMBER:dst_port} \||
\|

But i only get this as result:

ids
SNORTIDS
ids_host
pfsense.local

Those double pipes seem to be the problem, as anyone has any idea how to work those double pipes (||)?

Double pipes are backslashpipebackslashpipe.
This is working in debugger:

\|%{SPACE}\[%{DATA:ids}\[%{DATA:type}\]:%{SPACE}\[%{HOSTNAME:ids_host}\]%{SPACE}\]%{SPACE}\|\|%{SPACE}%{TIMESTAMP_ISO8601:date}%{SPACE}%{NUMBER:priority}%{SPACE}\[%{NUMBER}:%{NUMBER}:%{NUMBER}\]%{SPACE}%{DATA:description}%{SPACE}\|\|%{SPACE}%{DATA:classification} \|\|%{SPACE}%{NUMBER:protocol}%{SPACE}%{IP:src_ip}%{SPACE}%{IP:dst_ip}%{SPACE}\|\|%{SPACE}%{NUMBER:src_port}%{SPACE}%{NUMBER:dst_port}%{SPACE}\||
\|
1 Like

Thank you, works perfectly

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.