Failing to split regex groups in a pipeline


#1

Hi, I’m having a problem using regex within a pipeline. I’ve got a Snort IDS sending syslog messages containing a message field with contents such as:

SNORTHOST snort: [129:12:1] Consecutive TCP small segments exceeding threshold [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 1.2.3.4:445 -> 5.6.7.8:64677

I then have a Stream for the Snort traffic linked to a Pipeline with the following Rule:

rule “Extract Snort alert fields"
when
has_field(“message”)
then
let m = regex(”\[Classification: (.+?)\] \[Priority: (\d+)\] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?", to_string($message.message));
set_field (“test”,m);
end

The regex seems to work ok and I can see entries in the stream with a new field “test” with a value of:

{“0”:“Potentially Bad Traffic”,“1”:“2”,“2”:“TCP”,“3”:“1.2.3.4”,“4”:":445",“5”:“445”,“6”:“5.6.7.8”,“7”:":64677",“8”:“64677”}

However when I try and split the regex groups into separate fields; ie, using;

set_field(“classification”,m[“0”])

I no longer get any logs going into the stream? Apologies if I’ve missed something obvious but how should I be breaking up the result of the regex?


(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.