Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
iptables Grok Pattern
# GROK Custom Patterns (add to patterns directory and reference in GROK filter for iptables events):
# GROK Patterns for iptables Logging Format
#
# Created 6 Aug 2016 by Brian Turek <brian.turek@gmail.com>
# Most of this was taken from another source but now I cannot find it for credit
#
# Usage: Use the IPTABLES pattern
NETFILTERMAC %{MAC:dest_mac}:%{MAC:src_mac}:%{ETHTYPE:ethtype}
ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}))
IPTABLES_ETHERNET IN=%{DATA:iface}? OUT=%{DATA:oface}? MAC=%{NETFILTERMAC}?
IPTABLES_PORT_PAIR SPT=%{INT:src_port} DPT=%{INT:dest_port}
IPTABLES_TCP_FLAGS ((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))*
IPTABLES_TCP_SEQ SEQ=%{INT:sequence_number} ACK=%{INT:ack_number}
IPTABLES_TCP_DETAILS (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{INT:tcp_window} RES=%{BASE16NUM:res} %{IPTABLES_TCP_FLAGS:tcp_flags}
IPTABLES_INCOMPLETE_PACKET INCOMPLETE \[%{INT:incomplete} bytes\]
IPTABLES_UDP_DETAILS LEN=%{INT:data_length}
IPTABLES_ICMP_EXTRA_ECHO ID=%{INT:icmp_echo_id} SEQ=%{INT:icmp_echo_sequence}
IPTABLES_ICMP_EXTRA_PARAM PARAMETER=%{INT:icmp_parameter}
IPTABLES_ICMP_EXTRA_REDIRECT GATEWAY=%{IP:icmp_redirect}
IPTABLES_ICMP_EXTRA ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*
IPTABLES_ICMP_DETAILS TYPE=%{INT:icmp_type} CODE=%{INT:icmp_code}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA})
IPTABLES_ICMP_NESTED \[%{IPTABLES_IP_START}%{IPTABLES_IP_STDPROTOCOLS}\s*\]
IPTABLES_PROTOCOL PROTO=%{WORD:proto}
IPTABLES_IP_PAYLOAD %{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?
IPTABLES_IP_FRAGFLAG ((?<= )(CE|DF|MF))*
IPTABLES_IP_START SRC=%{IP:src_ip} DST=%{IP:dest_ip} LEN=%{INT:length} TOS=%{BASE16NUM:tos} PREC=%{BASE16NUM:prec} TTL=%{INT:ttl} ID=%{INT:id}(?: %{IPTABLES_IP_FRAGFLAG:flags})?(?: FRAG: %{INT:fragment})?
IPTABLES_IP %{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}
IPTABLES %{IPTABLES_ETHERNET} %{IPTABLES_IP}
@maprangzth

This comment has been minimized.

Copy link

maprangzth commented Nov 7, 2019

Thank you very much! This could save me a lot of time in the future!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.