I know I am doing something simple here but just can’t find it.
With the following message: {{Replaced IPs with x’s}}
snort[42549]: [120:18:3] (http_inspect) PROTOCOL-OTHER HTTP server response before client request [Classification: Unknown Traffic] [Priority: 3] {TCP} x.x.x.x:8088 -> x.x.x.x:36094
I can get pretty good matches with:
\[Classification: (.+?)\] \[Priority: (\d+)\] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?
When i replace:
rule “Extract Snort alert fields”
when
has_field(“message”)
then
let m = regex("\[(\d+):(\d+):(\d+)\] (.+?) \[Classification: (.+?)\] \[Priority: (\d+)]: \<(.+?)\> \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?", to_string($message.message));
the regex portion with:
\[Classification: (.+?)\] \[Priority: (\d+)\] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?
I get an error on that line: Invalid Expression line 5 (which is the regex) column 36 (which I am not sure how to read that)
Now this is probably due to regex formatting i.e. Java requires \ instead of \ how ever replaced all the \ with \ and still get same error.
Any ideas?
