Log between {}

Sebastian_Herrera · April 9, 2018, 1:11pm

Hello, i am having my log between brackets and i am not able to parse that part, can anyone help me??

Regards

my log is [Priority: 2] {TCP} 192.168.16.247:51650 -> 52.184.227.73:443

i was able to parse the priority, but i am not able to parse de TCP part that is between {}

magnusbaeck · April 9, 2018, 1:23pm

What does your configuration look like?

Sebastian_Herrera · April 9, 2018, 1:40pm

my entire log is
Mar 23 11:46:27 CLL21DCIDS01-IDS snort[26109]: [137:1:2] (spp_ssl) Invalid CHELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.17.11:52259 -> 104.40.28.30:443

and my config is

filter {
grok{
match => {"message"=>"%{SYSLOGTIMESTAMP:logDate} %{NOTSPACE:hostname} %{NOTSPACE:loglevel} [%{NOTSPACE:mynumber}] (%{NOTSPACE:otraVariable}) %{DATA:message}Priority: %{INT:priority}] %{IP:sourceIp} : "}
overwrite => [ "message" ]
}
mutate {
copy => { "loglevel" => "loglevel_tmp" }
}
mutate {
split => ["loglevel_tmp", "["]
add_field => { "hostType" => "%{loglevel_tmp[0]}" }
add_field => { "ruleId" => "%{loglevel_tmp[1]}" }
}
mutate{
remove_field => [ "loglevel_tmp","loglevel" ]
}
}

magnusbaeck · April 9, 2018, 1:59pm

Always post your configuration as preformatted text so it doesn't get mangled.

Keep in mind that braces and brackets have special meaning in regular expressions (and therefore grok expressions) so you need to escape them if you want their literal meaning.

Sebastian_Herrera · April 9, 2018, 4:33pm

yeap i figured it out it was my bad. thanks fro helping.

One more question, i am using geoIp, but source and destination ip, only one is public. i there any way to check if the ip is public?

magnusbaeck · April 9, 2018, 8:20pm

i there any way to check if the ip is public?

Use a cidr filter.

system · May 7, 2018, 8:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.