Pfsense Snort logs not parsing (Resolved)


(Haider) #1

Hello all,

I have just started using Graylog and I am not having much of success parsing logs from snort installed on pfsense. I have followed this tutorial to point and I still don’t see individual fields as show at end of this post.

Any help/insight is appreciated.

All I see is this


Pfsense snort, logs not parsing correctly
(Jan Doberstein) #2

Did you create a Processing pipeline and have that then connected to a stream that just holds all snort messages?


(Haider) #3

Yep, I have everything configured as per instructions.


(Haider) #4

The simulation even works fine.


(Haider) #5

I had to change order

*System > Configurations

Also changed pipeline to use this code

rule "Extract Snort alert fields"
when
  has_field("message")
then
  let m = regex("\\[(\\d+):(\\d+):(\\d+)\\] (.+?) \\[Classification: (.+?)\\] \\[Priority: (\\d+)]: \\<(.+?)\\> \\{(.+?)\\} (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))? -> (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})(:(\\d{1,5}))?\\R?", to_string($message.message));

  set_field("snort_alert", true);

  set_field("generator_id", m["0"]);
  set_field("signature_id", m["1"]);
  set_field("signature_revision_id", m["2"]);

  set_field("description", m["3"]);
  set_field("classification", m["4"]);
  set_field("priority", to_long(m["5"]));
  set_field("protocol", m["7"]);

  set_field("src_addr", m["8"]);
  set_field("src_port", to_long(m["10"]));

  set_field("dst_addr", m["11"]);
  set_field("dst_port", to_long(m["13"]));
end

(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.