Hi,
I wanted to know how can I define and extract a field in parser from
messages. With If It Exists like option
For example. I am using Bro Syslog. Following is a sample data
SYSLOG | severity:ERR uid:C5oe7F5SYMWqfVKKj id.orig_p:514 id.resp_p:514
proto:udp id.orig_h:10.2.2.1 message:Feb 20 12:11:18 suricata[72950]:
[1:2000538:8] ET SCAN NMAP -sA (1) [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 74.125.133.189:443 -> 10.2.2.202:52012
facility:LOCAL5 ts:1550646678.442785 id.resp_h:172.16.4.18
>From Message Field, I want to extract Classification, Priority and TCP From
-> To IPs.
Can I make some kind of configurations in Bro Parser to get this
information Back As
*Classification *<String>
*Priority *<String>
*TCP *From <IP>
*TCP *To <IP>
Any guidance will be great help.
--
With Regards
Farrukh Naveed Anjum
