-
Notifications
You must be signed in to change notification settings - Fork 6
/
extractor-snort
89 lines (89 loc) · 3.89 KB
/
extractor-snort
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
{
"extractors": [
{
"condition_type": "regex",
"condition_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:.+\\]\\s\\[Priority:\\s\\d\\].*\\{\\S+\\}\\s\\S+:\\d+\\s->\\s\\S+:\\d+",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "\\[\\d+:\\d+:\\d\\] (.*) \\[Classification:.+\\]\\s\\[Priority:\\s\\d\\].*\\{\\S+\\}\\s\\S+:\\d+\\s->\\s\\S+:\\d+"
},
"extractor_type": "regex",
"order": 15,
"source_field": "message",
"target_field": "snort_message",
"title": "Snort Message"
},
{
"condition_type": "regex",
"condition_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:.+\\]\\s\\[Priority:\\s\\d\\].*\\{\\S+\\}\\s\\S+:\\d+\\s->\\s\\S+:\\d+",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:(.+)\\]\\s\\[Priority:\\s\\d\\].*\\{\\S+\\}\\s\\S+:\\d+\\s->\\s\\S+:\\d+"
},
"extractor_type": "regex",
"order": 16,
"source_field": "message",
"target_field": "snort_classification",
"title": "Snort Classification"
},
{
"condition_type": "regex",
"condition_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:.+\\]\\s\\[Priority:\\s\\d\\].*\\{\\S+\\}\\s\\S+:\\d+\\s->\\s\\S+:\\d+",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:.+\\]\\s\\[Priority:\\s(\\d)\\].*\\{\\S+\\}\\s\\S+:\\d+\\s->\\s\\S+:\\d+"
},
"extractor_type": "regex",
"order": 17,
"source_field": "message",
"target_field": "snort_priority",
"title": "Snort Priority"
},
{
"condition_type": "regex",
"condition_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:.+\\]\\s\\[Priority:\\s\\d\\].*\\{\\S+\\}\\s\\S+:\\d+\\s->\\s\\S+:\\d+",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:.+\\]\\s\\[Priority:\\s\\d\\].*\\{(\\S+)\\}\\s\\S+:\\d+\\s->\\s\\S+:\\d+"
},
"extractor_type": "regex",
"order": 18,
"source_field": "message",
"target_field": "snort_protocol",
"title": "Snort Protocol"
},
{
"condition_type": "regex",
"condition_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:.+\\]\\s\\[Priority:\\s\\d\\].*\\{\\S+\\}\\s\\S+:\\d+\\s->\\s\\S+:\\d+",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:.+\\]\\s\\[Priority:\\s\\d\\].*\\{\\S+\\}\\s(\\S+):\\d+\\s->\\s\\S+:\\d+"
},
"extractor_type": "regex",
"order": 19,
"source_field": "message",
"target_field": "src_ip",
"title": "Snort Source IP"
},
{
"condition_type": "regex",
"condition_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:.+\\]\\s\\[Priority:\\s\\d\\].*\\{\\S+\\}\\s\\S+:\\d+\\s->\\s\\S+:\\d+",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"regex_value": "\\[\\d+:\\d+:\\d\\].*\\[Classification:.+\\]\\s\\[Priority:\\s\\d\\].*\\{\\S+\\}\\s\\S+:\\d+\\s->\\s(\\S+):\\d+"
},
"extractor_type": "regex",
"order": 19,
"source_field": "message",
"target_field": "dst_ip",
"title": "Snort Destination IP"
}
],
"version": "0.20.3.jlh"
}