Grok Extractors

Graylog Central (peer support)
1

Hi, for my snort logs

Example:
Server2 snort[23184]: [1:2402000:6509] [alert] ET DROP Dshield Block Listed Source group 1 [Classification: Misc Attack] [Priority: 2] {TCP} 62.22.144.11:21169 -> 172.22.22.22:443

I had the following GROK extractor configured:

%{DATA:Source}\[%{DATA:SnortID}\]: \[%{DATA:SnortSID}] %{DATA:description} \[Classification: %{DATA:SnortClassification}\] \[Priority: %{DATA:SnortPriority}] %{DATA:Protocol} %{DATA:SourceIP} -> %{DATA:DestIP}:%{GREEDYDATA:DestPort}

After upgrading from Graylog 4 to Graylog 5, it doesn’t work any more.

Any help, please?

2

It doesn’t look like it’s the GROK, because that works when I plug it all into an online GROK debugger… There are other settings on the extractor like conditions, extractor strategy, named captures only… could you post your settings those? Also, can you give some more detail to “it doesn’t work any more” that could mean many things. It’s all a black box until you describe it! :wink:

NOTE: Moved this to Graylog Central where questions are asked. Templates are for working solutions… :smiley:

3

Can you please show the extractor?
As @tmacgbay wrote, the GROK looks good

4 
{
  "extractors": [
    {
      "title": "Gork Cerberus",
      "extractor_type": "grok",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "",
      "extractor_config": {
        "grok_pattern": "%{DATA:Source}\\[%{DATA:SnortID}\\]: \\[%{DATA:SnortSID}] %{DATA:description} \\[Classification: %{DATA:SnortClassification}\\] \\[Priority: %{DATA:SnortPriority}] %{DATA:Protocol} %{DATA:SourceIP} -> %{DATA:DestIP}:%{GREEDYDATA:DestPort} "
      },
      "condition_type": "string",
      "condition_value": "Classification"
    }
  ],
  "version": "5.0.1"
}

I want to to use the Grok extractor only if the word “Classification” is included in the string message.
Eg:

Servers snort[14660]: [1:2034125:4] [drop] ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2 [**Classification**: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.10.10.10:44716 -> 172.22.22.22:80

5

Grok pattern looks ok

when you mentioned it was working 4 and broken 5

Do you have pipeline rule that matches as you expecting - “Classification”

6

Hey @shakai1 ,

again at the beginning :wink:
your GROK is not correct, try my adapted example

%{DATA:Source} snort\[%{NUMBER:SnortID}\]: \[%{DATA:SnortSID}\] \[%{WORD:Action}\] %{DATA:description} \[\**Classification\**: %{DATA:SnortClassification}\] \[Priority: %{NUMBER:SnortPriority}\] \{%{WORD:Protocol}\} %{IP:SourceIP}:%{NUMBER:SrcPort} -> %{IP:DestIP}:%{NUMBER:DestPort}
1 Like
7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.