-
-
Save clifford64/5307cd3e02300b180192cb6682945736 to your computer and use it in GitHub Desktop.
Security Onion snort logstash conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filter { | |
| if [type] == "snort" { | |
| # This is the initial parsing of the log | |
| grok { | |
| match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}", | |
| "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", | |
| "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", | |
| "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", | |
| "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}", | |
| "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})", | |
| "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}", | |
| "message", "\A%{TIME} pid\(%{INT}\) Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z", | |
| "message", "%{GREEDYDATA:alert}"] | |
| } | |
| if [timestamp] { | |
| mutate { | |
| add_field => { "logstash_timestamp" => "%{@timestamp}" } | |
| } | |
| mutate { | |
| convert => { "logstash_timestamp" => "string" } | |
| } | |
| date { | |
| match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ] | |
| } | |
| mutate { | |
| rename => { "logstash_timestamp" => "timestamp" } | |
| } | |
| } | |
| # If the alert is a Snort GPL alert break it apart for easier reading and categorization | |
| if [alert] =~ "GPL " { | |
| # This will parse out the category type from the alert | |
| grok { | |
| match => { "alert" => "GPL\s+%{DATA:category}\s" } | |
| } | |
| # This will store the category | |
| mutate { | |
| add_field => { "rule_type" => "Snort GPL" } | |
| lowercase => [ "category"] | |
| } | |
| } | |
| # If the alert is an Emerging Threat alert break it apart for easier reading and categorization | |
| if [alert] =~ "ET " { | |
| # This will parse out the category type from the alert | |
| grok { | |
| match => { "alert" => "ET\s+%{DATA:category}\s" } | |
| } | |
| # This will store the category | |
| mutate { | |
| add_field => { "rule_type" => "Emerging Threats" } | |
| lowercase => [ "category"] | |
| } | |
| } | |
| # I recommend changing the field types below to integer so searches can do greater than or less than | |
| # and also so math functions can be ran against them | |
| mutate { | |
| convert => [ "source_port", "integer" ] | |
| convert => [ "destination_port", "integer" ] | |
| convert => [ "gid", "integer" ] | |
| convert => [ "sid", "integer" ] | |
| # remove_field => [ "message"] | |
| } | |
| # This will translate the priority field into a severity field of either High, Medium, or Low | |
| if [priority] == 1 { | |
| mutate { | |
| add_field => { "severity" => "High" } | |
| } | |
| } | |
| if [priority] == 2 { | |
| mutate { | |
| add_field => { "severity" => "Medium" } | |
| } | |
| } | |
| if [priority] == 3 { | |
| mutate { | |
| add_field => { "severity" => "Low" } | |
| } | |
| } | |
| # This section adds URLs to lookup information about a rule online | |
| if [sid] and [sid] > 0 and [sid] < 1000000 { | |
| mutate { | |
| add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ] | |
| } | |
| } | |
| if [sid] and [sid] > 1999999 and [sid] < 2999999 { | |
| mutate { | |
| add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ] | |
| } | |
| } | |
| # mutate { | |
| #add_tag => [ "conf_file_1033"] | |
| # } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment