Can you find an instance of one of these logs in Kibana or ES and give us a
sanitized version of that?
On February 21, 2019 at 02:55:09, Farrukh Naveed Anjum (
anjum.farr...@gmail.com) wrote:
Hi this is the original event received to bro
SYSLOG | *severity:*NOTICE uid:CN4kU02atBGK0qlA5g *id.orig_p*:514
*id.resp_p*:514 *proto*:udp id.orig_h:10.2.2.1 *message*:Feb 21 12:46:50
suricata[72280]: [Drop] [1:51000003:0] OPN_Social_Media - Facebook - DNS
request for facebook.com [Classification: Social-Media app detection by
OPNsense] [Priority: 2] {UDP} 10.2.2.236:11928 -> 114.114.114.114:53
*facility:*LOCAL5 ts:1550735210.67931 id.resp_h:172.16.4.18
All I am asking is to further extract *message*
Feb 21 12:46:50 suricata[72280]: [Drop] [1:51000003:0] OPN_Social_Media -
Facebook - DNS request for facebook.com [Classification: Social-Media app
detection by OPNsense] [Priority: 2] {UDP} 10.2.2.236:11928 ->
114.114.114.114:53
Following is the default parser for bro.
{
"parserClassName":"org.apache.metron.parsers.bro.BasicBroParser",
"filterClassName":null,
"sensorTopic":"bro",
"outputTopic":null,
"errorTopic":null,
"writerClassName":null,
"errorWriterClassName":null,
"readMetadata":false,
"mergeMetadata":false,
"numWorkers":null,
"numAckers":null,
"spoutParallelism":1,
"spoutNumTasks":1,
"parserParallelism":1,
"parserNumTasks":1,
"errorWriterParallelism":1,
"errorWriterNumTasks":1,
"spoutConfig":{
},
"securityProtocol":null,
"stormConfig":{
},
"parserConfig":{
},
"fieldTransformations":[
],
"cacheConfig":{
},
"rawMessageStrategy":"DEFAULT",
"rawMessageStrategyConfig":{
}
}
Can you please tell me how can i extract *Classification*, *Priority*, *UDP*
(*From*) --> (*To*) IP.
How can I extract fields and apply the Parser Chaining in it ?
On Wed, Feb 20, 2019 at 10:08 PM Simon Elliston Ball <
si...@simonellistonball.com> wrote:
> You might like to look into parser chaining for this:
> https://metron.apache.org/current-book/metron-platform/metron-parsers/ParserChaining.html
>
> Simon
>
> On 20 Feb 2019, at 16:47, Farrukh Naveed Anjum <anjum.farr...@gmail.com>
> wrote:
>
> Yes, I am using BRO Parser, Can I sub divide the *message* field
>
> On Wed, Feb 20, 2019 at 7:39 PM Otto Fowler <ottobackwa...@gmail.com>
> wrote:
>
>> Can you print what the fields are after parsing? These are the fields
>> that you will be able to use Stellar on, to possibly extract your info.
>> Are you using the Bro parser?
>>
>>
>> On February 20, 2019 at 02:14:17, Farrukh Naveed Anjum (
>> anjum.farr...@gmail.com) wrote:
>>
>> Hi,
>> I wanted to know how can I define and extract a field in parser from
>> messages. With If It Exists like option
>>
>> For example. I am using Bro Syslog. Following is a sample data
>>
>> SYSLOG | severity:ERR uid:C5oe7F5SYMWqfVKKj id.orig_p:514 id.resp_p:514
>> proto:udp id.orig_h:10.2.2.1 message:Feb 20 12:11:18 suricata[72950]:
>> [1:2000538:8] ET SCAN NMAP -sA (1) [Classification: Attempted
>> Information Leak] [Priority: 2] {TCP} 74.125.133.189:443 ->
>> 10.2.2.202:52012 facility:LOCAL5 ts:1550646678.442785
>> id.resp_h:172.16.4.18
>>
>> From Message Field, I want to extract Classification, Priority and TCP
>> From -> To IPs.
>>
>> Can I make some kind of configurations in Bro Parser to get this
>> information Back As
>>
>> *Classification* <String>
>> *Priority* <String>
>> *TCP* From <IP>
>> *TCP* To <IP>
>>
>> Any guidance will be great help.
>>
>>
>>
>>
>>
>> --
>> With Regards
>> Farrukh Naveed Anjum
>>
>>
>
> --
> With Regards
> Farrukh Naveed Anjum
>
>
--
With Regards
Farrukh Naveed Anjum
