Hi all,
I am following some of the tuts on the web to create a graylog snort pipeline with the input being syslog’s being forwarded from Pfsense. Seems simple but the message format seems to have changed in the last few updates of the snort package in Pfsense. Syslog is sending the snort messages and I am getting them in to the input but my rules are failing, I am looking for an alternative method to filter as explained below:
I have tried many different regex methods found on the web for the tuts that are available. However none of them work - for example:
Example message field: {Replaced sensitive info with “x”}
snort[10731]: [3:21355:5] PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid [Classification: Attempted Information Leak] [Priority: 2] {UDP} x.x.x.x:53 -> x.x.x.x:31218
rule "Extract Snort alert fields"
when
has_field("message")
then
let m = regex("\\[(\\d+):(\\d+):(\\d+)\\] (.+?) \\[Classification: (.+?)\\] \\[Priority: (\\d+)]: \\<(.+?)\\> \\{(.+?)\\} (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))? -> (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))?\\R?", to_string($message.message));
set_field("snort_alert", true);
set_field("generator_id", m["0"]);
set_field("signature_id", m["1"]);
set_field("signature_revision_id", m["2"]);
set_field("description", m["3"]);
set_field("classification", m["4"]);
set_field("priority", to_long(m["5"]));
set_field("protocol", m["7"]);
set_field("src_addr", m["8"]);
set_field("src_port", to_long(m["10"]));
set_field("dst_addr", m["11"]);
set_field("dst_port", to_long(m["13"]));
end
After some research I came across as splunk formate which to be honest I find much easier and code I can “control” also the single regex items work when tested.
Example:
[force_sourcetype_for_snort]
DEST_KEY = MetaData:Sourcetype
REGEX = \w+\s+\d+\s+\d+\:\d+\:\d+\s+[^\s]+\s+snort\[\d+\]\:
FORMAT = sourcetype::snort
[category_for_snort]
REGEX = Classification\:\s+([^\]]+)
FORMAT = category::"$1"
[dest_ip_for_snort]
REGEX = \-\>\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FORMAT = dest_ip::$1
[dest_port_for_snort]
REGEX = \-\>\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)
FORMAT = dest_port::$1
[pid_for_snort]
REGEX = snort\[(\d+)
FORMAT = pid::$1
[severity_id_for_snort]
REGEX = Priority\:\s+(\d+)
FORMAT = severity_id::$1
[signature_for_snort]
REGEX = snort\[\d+\]\:\s+\[[^\]]+\]\s+(.*?)(\s+\[Classification|\[Priority)
FORMAT = signature::"$1"
[signature_id_for_snort]
REGEX = snort\[\d+\]\:\s+\[([^\]]+)
FORMAT = signature_id::"$1"
[src_ip_for_snort]
REGEX = \{\w+\}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FORMAT = src_ip::$1
[src_port_for_snort]
REGEX = \{\w+\}\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d+)
FORMAT = src_port::$1
[transport_for_snort]
REGEX = \{([^\}]+)
FORMAT = transport::$1
Trying out the individual regex works perfectly for the snort message sections coming from Pfsense syslog.
The question is can one rather use the splunk type syntax where you actually look for specific items one by one rather than an entire string allows one to debug one field at a time rather than trying to debug an entire paragraph of regex.
Hope I am making sense?