Home » Default » Logstash 提取SURICATA fast.log正则表达式

  • Posted on: , Views:1184
09/20/2020-00:18:32.710309  [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 213.212.243.106:49614 -> 1.1.1.1:1433

正则表达式(不会正则,看着教程蒙的):

filter {
 if[type] == "SuricataAlert" {
  grok{
     match => {"message" => "(?<time>[0-9/.:-]*)  (?<note>[^ ]{0,4}) (?<ruid>[^a-zA-Z]+) (?<msg>[0-9a-zA-Z ]+) (?<note1>[^ ]{0,4}) (?<Classification>\[{1}[a-zA-Z: ]*\]{1}) (?<Priority>[a-zA-Z0-9\]\[: ]*) (?<procotol>[a-zA-Z\}\{:]*) (?<src>[0-9.:]*) (?<to>[->]*) (?<dst>[0-9.:]*)"}
     remove_field => ["message"]    
    }        
  }
}

结果

{
  "msg": "ET SCAN Suspicious inbound to MSSQL port 1433",
  "note": "[**]",
  "procotol": "{TCP}",
  "dst": "1.1.1.1:1433",
  "src": "213.212.243.106:49614",
  "Priority": "[Priority: 2]",
  "ruid": "[1:2010935:3]",
  "Classification": "[Classification: Potentially Bad Traffic]",
  "time": "09/20/2020-00:18:32.710309",
  "to": "->",
  "note1": "[**]"
}

标签: Suricata Logstash fast.log 正则表达式 grok

添加新评论

V