Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Logstash

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 15 Oct 2013 15:04:49 -0600
On 2013-10-15 15:01, Jeremy Hoel wrote:

We don't use the fast alert file, but 'output alert_syslog: 
LOG_LOCAL6
LOG_ALERT' and then pull them from out of the syslog via


:msg, contains, "Priority: " action(type="omfile" 
DirCreateMode="0755"
FileCreateMode="0644" dynafile="snortlogs")
:msg, regex, ".* [Pp]ortsweep" action(type="omfile"
DirCreateMode="0755" FileCreateMode="0644" dynafile="snortlogs")
:msg, regex, ".* [Pp]ortscan" action(type="omfile"
DirCreateMode="0755" FileCreateMode="0644" dynafile="snortlogs")


For logstash we have these lines:

grok {
    type => snort
    pattern => "%{TIMESTAMP_ISO8601:syslog_timestamp}
%{IPORHOST:device} snort\[%{INT:snort_pid}\]\:
\[%{INT:gid}\:%{INT:sid}\:%{INT:rev}\] %{DATA:ids_alert}
\[Classification\: %{DATA:ids_classification}\]\s+\[Priority\:
%{INT:ids_priority}\] \{%{WORD:ids_alert_proto}\}
%{IP:src_ip}(\:%{INT:src_port})? \-\>
%{IP:dst_ip}(\:%{INT:dst_port})?$"
    pattern => "%{TIMESTAMP_ISO8601:syslog_timestamp}
%{IPORHOST:device} snort\[%{INT:snort_pid}\]\:
\[%{INT:gid}\:%{INT:sid}\:%{INT:rev}\] PSNG_%{DATA:portscan_type}
\[Classification\: %{DATA:ids_classification}\]\s+\[Priority\:
%{INT:ids_priority}\] \{PROTO\:%{INT}\} %{IP:src_ip} \-\>
%{IP:dst_ip}$"
    pattern => "%{TIMESTAMP_ISO8601:syslog_timestamp}
%{IPORHOST:device} %{GREEDYDATA:snort_the_rest}$"
  }


That might help or at least give you an idea.


That helps thank you...should be an interesting time :)

James

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: