Archive
Highlighted

Pulling extracts from Snort alerts

Path Finder

I'm trying to be less dependent on automated regex and learn more about doing my own regex for field extractions. I have have these fields from Snort (IP addresses have been modified):

12/27-13:46:30.535369 [**] [1:2019876:2] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 100.31.116.39:35016 -> 172.20.16.2:22

12/27-13:34:12.027500 [**] [1:2500056:4184] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 30 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 100.83.149.133:58061 -> 172.20.16.2:22

I'm trying to extract between the first [**] and the second [**] giving me:

ET SCAN SSH BruteForce Tool with fake PUTTY version
AND
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 29

The extract I put together is:
^\d{2}\/\d{2}-\d{2}:\d{2}:\d{2}\.\d{6}\s\s\[\*\*\]\s\[\d{1,3}:\d{2,7}:\d{1,4}\]\s(?P\D{15,75}\s)\[\*\*\]

It works on everything that doesn't end in a number such as TCP group 30, approximately 10% of my alerts end in a number such as 30. I've tried everything I can think of. Any help would be greatly appreciated!

Tags (1)
0 Karma
Highlighted

Re: Pulling extracts from Snort alerts

Path Finder

Solved myself ^\d{2}\/\d{2}-\d{2}:\d{2}:\d{2}\.\d{6}\s\s\[\*\*\]\s\[\d{1,3}:\d{2,7}:\d{1,4}\]\s(?P<alert>((\D|\d){15,75})\s)\[\*\*\]

Just goes to show, leave it alone for a bit and then come back.

View solution in original post

0 Karma
Highlighted

Re: Pulling extracts from Snort alerts

Motivator

Please try this regex:

your query to return events
|rex " \[\*\*\].*?\](?<etCapturedData>[^\[]+)\s*\[\*\*\]"
| table etCapturedData

You can rename etCapturedData field to any name of your choice by changing in (?<etCapturedData>[^\[]+)
For the Extraction and its explanation (check the right hand side columns) here

Highlighted

Re: Pulling extracts from Snort alerts

Path Finder

The Rex does work, but I was looking for Field Extractions, I'm assuming this is probably a more elegant way of extracting than I used.

0 Karma
Highlighted

Re: Pulling extracts from Snort alerts

Motivator

Same regex would have worked well in the field extraction too. But if you have solved it, then good, else this regex above is much more compact and will not be too dependent on the strict sequences of \d{n} as your regex might fail if:

  • The \d's were to mismatch in any log line.
  • If the content within the capturing group (\D|\d){15,75}) were to exceed 75 chars.
0 Karma