Threat Intelligence Plugin Rules


I am fairly new to Graylog and I am trying to get the Threat Intelligence Plugin to analyze the SRC section of such messages:

ubnt kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC=REDACTED SRC= DST=REDACTED LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=16557 PROTO=TCP SPT=59574 DPT=7845 WINDOW=1024 RES=0x00 SYN URGP=0

How would I write this rule? I am familiar with selecting a pipeline etc. but can’t get the new fields to show up as described in this tutorial so I assume my rule is not correct.

Thank you.


Could you explain in greater details about your environment?
To help you further please take a look at this post.

Sorry for giving more details as I didn’t think they were needed since I have a full working installation of the latest version of Graylog under Ubuntu. Plug-in is active and ready. Just not sure how to write the rule to inspect the SRC section of that message.


You have Graylog version 4.2 installed I assume.
If this is correct, then you may want to look at these post.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.