maprangzth/iptables.grok

## iptables.grok
# GROK Custom Patterns (add to patterns directory and reference in GROK filter for iptables events):
# GROK Patterns for iptables Logging Format
#
# Created 6 Aug 2016 by Brian Turek <brian.turek@gmail.com>
# Most of this was taken from another source but now I cannot find it for credit
#
# Usage: Use the IPTABLES pattern

NETFILTERMAC %{MAC:dest_mac}:%{MAC:src_mac}:%{ETHTYPE:ethtype}
ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}))

IPTABLES_ETHERNET IN=%{DATA:iface}? OUT=%{DATA:oface}? MAC=%{NETFILTERMAC}?

IPTABLES_PORT_PAIR SPT=%{INT:src_port} DPT=%{INT:dest_port}

IPTABLES_TCP_FLAGS ((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))*
IPTABLES_TCP_SEQ SEQ=%{INT:sequence_number} ACK=%{INT:ack_number}
IPTABLES_TCP_DETAILS (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{INT:tcp_window} RES=%{BASE16NUM:res} %{IPTABLES_TCP_FLAGS:tcp_flags}
IPTABLES_INCOMPLETE_PACKET INCOMPLETE \[%{INT:incomplete} bytes\]

IPTABLES_UDP_DETAILS LEN=%{INT:data_length}

IPTABLES_ICMP_EXTRA_ECHO ID=%{INT:icmp_echo_id} SEQ=%{INT:icmp_echo_sequence}
IPTABLES_ICMP_EXTRA_PARAM PARAMETER=%{INT:icmp_parameter}
IPTABLES_ICMP_EXTRA_REDIRECT GATEWAY=%{IP:icmp_redirect}
IPTABLES_ICMP_EXTRA ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*
IPTABLES_ICMP_DETAILS TYPE=%{INT:icmp_type} CODE=%{INT:icmp_code}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA})
IPTABLES_ICMP_NESTED \[%{IPTABLES_IP_START}%{IPTABLES_IP_STDPROTOCOLS}\s*\]

IPTABLES_PROTOCOL PROTO=%{WORD:proto}

IPTABLES_IP_PAYLOAD %{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?

IPTABLES_IP_FRAGFLAG ((?<= )(CE|DF|MF))*
IPTABLES_IP_START SRC=%{IP:src_ip} DST=%{IP:dest_ip} LEN=%{INT:length} TOS=%{BASE16NUM:tos} PREC=%{BASE16NUM:prec} TTL=%{INT:ttl} ID=%{INT:id}(?: %{IPTABLES_IP_FRAGFLAG:flags})?(?: FRAG: %{INT:fragment})?
IPTABLES_IP %{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}

IPTABLES %{IPTABLES_ETHERNET} %{IPTABLES_IP}
	# GROK Custom Patterns (add to patterns directory and reference in GROK filter for iptables events):
	# GROK Patterns for iptables Logging Format
	#
	# Created 6 Aug 2016 by Brian Turek <brian.turek@gmail.com>
	# Most of this was taken from another source but now I cannot find it for credit
	#
	# Usage: Use the IPTABLES pattern

	NETFILTERMAC %{MAC:dest_mac}:%{MAC:src_mac}:%{ETHTYPE:ethtype}
	ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}))

	IPTABLES_ETHERNET IN=%{DATA:iface}? OUT=%{DATA:oface}? MAC=%{NETFILTERMAC}?

	IPTABLES_PORT_PAIR SPT=%{INT:src_port} DPT=%{INT:dest_port}

	IPTABLES_TCP_FLAGS ((?<= )(CWR\|ECE\|URG\|ACK\|PSH\|RST\|SYN\|FIN))*
	IPTABLES_TCP_SEQ SEQ=%{INT:sequence_number} ACK=%{INT:ack_number}
	IPTABLES_TCP_DETAILS (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{INT:tcp_window} RES=%{BASE16NUM:res} %{IPTABLES_TCP_FLAGS:tcp_flags}
	IPTABLES_INCOMPLETE_PACKET INCOMPLETE \[%{INT:incomplete} bytes\]

	IPTABLES_UDP_DETAILS LEN=%{INT:data_length}

	IPTABLES_ICMP_EXTRA_ECHO ID=%{INT:icmp_echo_id} SEQ=%{INT:icmp_echo_sequence}
	IPTABLES_ICMP_EXTRA_PARAM PARAMETER=%{INT:icmp_parameter}
	IPTABLES_ICMP_EXTRA_REDIRECT GATEWAY=%{IP:icmp_redirect}
	IPTABLES_ICMP_EXTRA ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}\|%{IPTABLES_ICMP_EXTRA_PARAM}\|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*
	IPTABLES_ICMP_DETAILS TYPE=%{INT:icmp_type} CODE=%{INT:icmp_code}(( %{IPTABLES_INCOMPLETE_PACKET})\|%{IPTABLES_ICMP_EXTRA})
	IPTABLES_ICMP_NESTED \[%{IPTABLES_IP_START}%{IPTABLES_IP_STDPROTOCOLS}\s*\]

	IPTABLES_PROTOCOL PROTO=%{WORD:proto}

	IPTABLES_IP_PAYLOAD %{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}\|%{IPTABLES_UDP_DETAILS}\|%{IPTABLES_ICMP_DETAILS}\|%{IPTABLES_INCOMPLETE_PACKET}))?

	IPTABLES_IP_FRAGFLAG ((?<= )(CE\|DF\|MF))*
	IPTABLES_IP_START SRC=%{IP:src_ip} DST=%{IP:dest_ip} LEN=%{INT:length} TOS=%{BASE16NUM:tos} PREC=%{BASE16NUM:prec} TTL=%{INT:ttl} ID=%{INT:id}(?: %{IPTABLES_IP_FRAGFLAG:flags})?(?: FRAG: %{INT:fragment})?
	IPTABLES_IP %{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}

	IPTABLES %{IPTABLES_ETHERNET} %{IPTABLES_IP}