Failing to split regex groups in a pipeline


Hi, I’m having a problem using regex within a pipeline. I’ve got a Snort IDS sending syslog messages containing a message field with contents such as:

SNORTHOST snort: [129:12:1] Consecutive TCP small segments exceeding threshold [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} ->

I then have a Stream for the Snort traffic linked to a Pipeline with the following Rule:

rule “Extract Snort alert fields"
let m = regex(”\[Classification: (.+?)\] \[Priority: (\d+)\] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?", to_string($message.message));
set_field (“test”,m);

The regex seems to work ok and I can see entries in the stream with a new field “test” with a value of:

{“0”:“Potentially Bad Traffic”,“1”:“2”,“2”:“TCP”,“3”:“”,“4”:":445",“5”:“445”,“6”:“”,“7”:":64677",“8”:“64677”}

However when I try and split the regex groups into separate fields; ie, using;


I no longer get any logs going into the stream? Apologies if I’ve missed something obvious but how should I be breaking up the result of the regex?

(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.