Parsing Snort Logs w/ Regex

I’m feeding pfSense Snort logs into Graylog trying to use a pipeline to set fields and parse with regex. However, Graylog says there’s an invalid expression on line 5 column 59 and I can’t seem to figure out why. I’ve tested the normal regex expression using a different online tester and it worked fine, I say normal because I recently learned about the need for \\ and not \.

Pipeline rule throwing error:

rule “Extract Snort alert fields”
when
has_field(“message”)
then
let m = regex(“let m = regex(“snort\\[(.+\\d)\\]: \\[(\\d+):(\\d+):(\\d+)\\] ([[1]*) \\[Classification: (.+?)\\] \\[Priority: (\\d+)] \\\\{(.+?)\\} (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))? → (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))?\\R?”, to_string($message.message));”, to_string($message.message));
set_field(“snort_alert”, true);
set_field(“generator_id”, m[“0”]);
set_field(“signature_id”, m[“1”]);
set_field(“signature_revision_id”, m[“2”]);
set_field(“description”, m[“3”]);
set_field(“classification”, m[“4”]);
set_field(“priority”, to_long(m[“5”]));
set_field(“protocol”, m[“6”]);
set_field(“src_addr”, m[“7”]);
set_field(“src_port”, to_long(m[“9”]));
set_field(“dst_addr”, m[“10”]);
set_field(“dst_port”, to_long(m[“12”]));
end

I do realize I need to change my fields around but my worry currently is the regex rule not working. I’ve also tried this with a grok pattern

let m = grok(“let m = grok(”^snort[%{INT}]: [%{INT:generator_id}:%{INT:signature_id}:%{INT:signature_revision_id}] (%{WORD:module}) %{DATA:description} [Classification: %{DATA:classification}] [Priority: %{INT:priority}] {%{WORD:protocol}} %{IP:src_addr}:%{POSINT:src_port} → %{IP:dst_addr}:%{POSINT:dst_port}", to_string($message.message), true);

but when trying to use the grok pattern it’s throwing an error around [Priority: %{INT:priority}]

Any assistance is much appreciated!


  1. ↩︎

Fixed!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.