shakai1
(Shakai1)
January 4, 2023, 10:52am
1
Hi, for my snort logs
Example:
Server2 snort[23184]: [1:2402000:6509] [alert] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 62.22.144.11:21169 -> 172.22.22.22:443
I had the following GROK extractor configured:
%{DATA:Source}\[%{DATA:SnortID}\]: \[%{DATA:SnortSID}] %{DATA:description} \[Classification: %{DATA:SnortClassification}\] \[Priority: %{DATA:SnortPriority}] %{DATA:Protocol} %{DATA:SourceIP} -> %{DATA:DestIP}:%{GREEDYDATA:DestPort}
After upgrading from Graylog 4 to Graylog 5, it doesn’t work any more.
Any help, please?
tmacgbay
(Tmacgbay)
January 4, 2023, 3:22pm
2
It doesn’t look like it’s the GROK, because that works when I plug it all into an online GROK debugger … There are other settings on the extractor like conditions, extractor strategy, named captures only… could you post your settings those? Also, can you give some more detail to “it doesn’t work any more ” that could mean many things. It’s all a black box until you describe it!
NOTE: Moved this to Graylog Central where questions are asked. Templates are for working solutions…
H077E
January 4, 2023, 6:01pm
3
Can you please show the extractor?
As @tmacgbay wrote, the GROK looks good
shakai1
(Shakai1)
January 5, 2023, 2:46pm
4
{
"extractors": [
{
"title": "Gork Cerberus",
"extractor_type": "grok",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"grok_pattern": "%{DATA:Source}\\[%{DATA:SnortID}\\]: \\[%{DATA:SnortSID}] %{DATA:description} \\[Classification: %{DATA:SnortClassification}\\] \\[Priority: %{DATA:SnortPriority}] %{DATA:Protocol} %{DATA:SourceIP} -> %{DATA:DestIP}:%{GREEDYDATA:DestPort} "
},
"condition_type": "string",
"condition_value": "Classification"
}
],
"version": "5.0.1"
}
I want to to use the Grok extractor only if the word “Classification” is included in the string message.
Eg:
Servers snort[14660]: [1:2034125:4] [drop] ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2 [**Classification**: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.10.10.10:44716 -> 172.22.22.22:80
ramindia
(R!)
January 5, 2023, 10:04pm
5
Grok pattern looks ok
when you mentioned it was working 4 and broken 5
Do you have pipeline rule that matches as you expecting - “Classification”
H077E
January 6, 2023, 9:48am
6
Hey @shakai1 ,
again at the beginning
your GROK is not correct, try my adapted example
%{DATA:Source} snort\[%{NUMBER:SnortID}\]: \[%{DATA:SnortSID}\] \[%{WORD:Action}\] %{DATA:description} \[\**Classification\**: %{DATA:SnortClassification}\] \[Priority: %{NUMBER:SnortPriority}\] \{%{WORD:Protocol}\} %{IP:SourceIP}:%{NUMBER:SrcPort} -> %{IP:DestIP}:%{NUMBER:DestPort}
1 Like
system
(system)
Closed
January 20, 2023, 9:48am
7
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.