Alerting

Pulling extracts from Snort alerts

richnsanders_70
Path Finder

I'm trying to be less dependent on automated regex and learn more about doing my own regex for field extractions. I have have these fields from Snort (IP addresses have been modified):

12/27-13:46:30.535369 [**] [1:2019876:2] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 100.31.116.39:35016 -> 172.20.16.2:22

12/27-13:34:12.027500 [**] [1:2500056:4184] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 30 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 100.83.149.133:58061 -> 172.20.16.2:22

I'm trying to extract between the first [**] and the second [**] giving me:

ET SCAN SSH BruteForce Tool with fake PUTTY version
AND
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 29

The extract I put together is:
^\d{2}\/\d{2}-\d{2}:\d{2}:\d{2}\.\d{6}\s\s\[\*\*\]\s\[\d{1,3}:\d{2,7}:\d{1,4}\]\s(?P\D{15,75}\s)\[\*\*\]

It works on everything that doesn't end in a number such as TCP group 30, approximately 10% of my alerts end in a number such as 30. I've tried everything I can think of. Any help would be greatly appreciated!

Tags (1)
0 Karma
1 Solution

richnsanders_70
Path Finder

Solved myself ^\d{2}\/\d{2}-\d{2}:\d{2}:\d{2}\.\d{6}\s\s\[\*\*\]\s\[\d{1,3}:\d{2,7}:\d{1,4}\]\s(?P<alert>((\D|\d){15,75})\s)\[\*\*\]

Just goes to show, leave it alone for a bit and then come back.

View solution in original post

0 Karma

gokadroid
Motivator

Please try this regex:

your query to return events
|rex " \[\*\*\].*?\](?<etCapturedData>[^\[]+)\s*\[\*\*\]"
| table etCapturedData

You can rename etCapturedData field to any name of your choice by changing in (?<etCapturedData>[^\[]+)
For the Extraction and its explanation (check the right hand side columns) here

richnsanders_70
Path Finder

The Rex does work, but I was looking for Field Extractions, I'm assuming this is probably a more elegant way of extracting than I used.

0 Karma

gokadroid
Motivator

Same regex would have worked well in the field extraction too. But if you have solved it, then good, else this regex above is much more compact and will not be too dependent on the strict sequences of \d{n} as your regex might fail if:

  • The \d's were to mismatch in any log line.
  • If the content within the capturing group (\D|\d){15,75}) were to exceed 75 chars.
0 Karma

richnsanders_70
Path Finder

Solved myself ^\d{2}\/\d{2}-\d{2}:\d{2}:\d{2}\.\d{6}\s\s\[\*\*\]\s\[\d{1,3}:\d{2,7}:\d{1,4}\]\s(?P<alert>((\D|\d){15,75})\s)\[\*\*\]

Just goes to show, leave it alone for a bit and then come back.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...