Snort mailing list archives
Re: Logstash
From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 15 Oct 2013 21:01:36 +0000
We don't use the fast alert file, but 'output alert_syslog: LOG_LOCAL6
LOG_ALERT' and then pull them from out of the syslog via
:msg, contains, "Priority: " action(type="omfile" DirCreateMode="0755"
FileCreateMode="0644" dynafile="snortlogs")
:msg, regex, ".* [Pp]ortsweep" action(type="omfile"
DirCreateMode="0755" FileCreateMode="0644" dynafile="snortlogs")
:msg, regex, ".* [Pp]ortscan" action(type="omfile"
DirCreateMode="0755" FileCreateMode="0644" dynafile="snortlogs")
For logstash we have these lines:
grok {
type => snort
pattern => "%{TIMESTAMP_ISO8601:syslog_timestamp}
%{IPORHOST:device} snort\[%{INT:snort_pid}\]\:
\[%{INT:gid}\:%{INT:sid}\:%{INT:rev}\] %{DATA:ids_alert}
\[Classification\: %{DATA:ids_classification}\]\s+\[Priority\:
%{INT:ids_priority}\] \{%{WORD:ids_alert_proto}\}
%{IP:src_ip}(\:%{INT:src_port})? \-\>
%{IP:dst_ip}(\:%{INT:dst_port})?$"
pattern => "%{TIMESTAMP_ISO8601:syslog_timestamp}
%{IPORHOST:device} snort\[%{INT:snort_pid}\]\:
\[%{INT:gid}\:%{INT:sid}\:%{INT:rev}\] PSNG_%{DATA:portscan_type}
\[Classification\: %{DATA:ids_classification}\]\s+\[Priority\:
%{INT:ids_priority}\] \{PROTO\:%{INT}\} %{IP:src_ip} \-\>
%{IP:dst_ip}$"
pattern => "%{TIMESTAMP_ISO8601:syslog_timestamp}
%{IPORHOST:device} %{GREEDYDATA:snort_the_rest}$"
}
That might help or at least give you an idea.
On Tue, Oct 15, 2013 at 8:51 PM, James Lay <jlay () slave-tothe-box net> wrote:
Hey all! Anyone done any work with integrating logstash with snort's fast alert file? Taking a look at this and was seeing if I'd need to start fresh or of anyone has done any plugins or whatnot with snort. Thanks all. James ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Logstash James Lay (Oct 15)
- Re: Logstash Jeremy Hoel (Oct 15)
- Re: Logstash James Lay (Oct 15)
- Re: Logstash Jeremy Hoel (Oct 15)