My regex for snort is not working

Graylog Central (peer support)
1

Hi,
I have tried to send my snort message to the graylog. But it seem to be not working.

Here is the pipeline rule:
rule “Extract Snort alert fields”
when
has_field(“message”)
then
let m = regex("^\[(\d+):(\d+):(\d+)\] (.+?) \[Classification: (.+?)\] \[Priority: (\d+)]: \<(.+?)\> \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?", to_string($message.message));

set_field(“snort_alert”, true);

set_field(“generator_id”, m[“0”]);
set_field(“signature_id”, m[“1”]);
set_field(“signature_revision_id”, m[“2”]);

set_field(“description”, m[“3”]);
set_field(“classification”, m[“4”]);
set_field(“priority”, to_long(m[“5”]));
set_field(“protocol”, m[“7”]);

set_field(“src_addr”, m[“8”]);
set_field(“src_port”, to_long(m[“10”]));

set_field(“dst_addr”, m[“11”]);
set_field(“dst_port”, to_long(m[“13”]));
end

Here is stream rule :
[\d+:\d+:\d+].*

Here is the message:

2020-05-11 21:21:37 +00:00 pfsense.localdomain
[1:1000001:1] Snort Alert [1:1000001:1] [Classification: Generic ICMP event] [Priority: 3]: {ICMP} 192.168.1.106:0 -> 192.168.1.1:0
2020-05-11 21:01:46 +00:00 pfsense.localdomain
[1:1000001:1] Snort Alert [1:1000001:1] [Classification: Generic ICMP event] [Priority: 3]: {ICMP} 192.168.1.105:0 -> 192.168.1.1:0
2020-05-11 18:56:57 +00:00 pfsense.localdomain
message repeated 5 times: [ [1:1000001:1] Snort Alert [1:1000001:1] [Classification: Generic ICMP event] [Priority: 3]: {ICMP} 192.168.1.105:0 -> 192.168.1.1:0]
2020-05-11 18:56:57 +00:00 pfsense.localdomain
[1:1000001:1] Snort Alert [1:1000001:1] [Classification: Generic ICMP event] [Priority: 3]: {ICMP} 192.168.1.105:0 -> 192.168.1.1:0
2020-05-11 18:56:30 +00:00 pfsense.localdomain
[1:1000001:1] Snort Alert [1:1000001:1] [Classification: Generic ICMP event] [Priority: 3]: {ICMP} 192.168.1.105:0 -> 192.168.1.1:0
2020-05-11 18:56:30 +00:00 pfsense.localdomain
message repeated 5 times: [ [1:1000001:1] Snort Alert [1:1000001:1] [Classification: Generic ICMP event] [Priority: 3]: {ICMP} 192.168.1.105:0 -> 192.168.1.1:0]

Can someone help me with this? Thank.

2

Some ideas:

  1. use double escape \\ not \
  2. you can use debug func, to check all phase of your rule
  3. set_field(“snort_alert”, true); - it has no condition, so you set this for all of your messages.
3

Hi,
Thank for the reply. And sorry for the late reply. I have tried. But it is not working. Is there anything I have missed.

4

How to write the rule. Can you give me some advice?

5

Hey, I actually had the same problem. I’ve come up with a fix. See the Github repo below.

EDIT: The pfSense part may not apply to you but this should at least get you parsing logs from Snort in Graylog

6

I am very new with graylog. I can see that the GUI in the github is very different with the my graylog server. Do I follow all the steps in the github? Can you give me some advice here? Thank.

7

Not all of the screenshots in the Github Repo are from Graylog. Some are from a tool called Cerebro and some are from pfSense. If you follow the Graylog Pre-Configuration, GeoLite2 DB Installation, Elasticsearch Configuration, and Confirm Logging sections that should get you parsing logs from Snort since it sounds like you’re already getting logs into Graylog from Snort. If you happen to also be running pfSense then I would follow the whole guide.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.