Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Solved: SNORT[#####] grock'd

    General pfSense Questions
    1
    1
    209
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kozokeith
      last edited by

      Re: Kibana+Elasticsearch+Logstash [ELK] v6.3.0 pfSense v2.4.3p1 and Suricata using docker-compose | docker for windows

      I figured it out.
      Here is the match pattern:

                  if "snort" in [prog] {             
              mutate {
                add_tag => [ "snort" ]
              }
            }

      Here is the grok pattern if anyone is interested.

            grok {
        match => [
          "message",  "[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}]%{DATA:preprocessor}%{GREEDYDATA:ids_alert}.[Classification\:%{DATA:ids_classification}].*[Priority\: %{INT:ids_priority}].*{%{WORD:ids_proto}}.*%{IP:src_ip}:%{INT:src_port} \-\>.*%{IP:dst_ip}:%{INT:dst_port}",
          "message", "[%{INT:ids_gid}:%{INT:ids_sid}:%{INT:ids_rev}].%{GREEDYDATA:message2}"
        ]
      }
      1 Reply Last reply Reply Quote 0
      • First post
        Last post