Can you print what the fields are after parsing? These are the fields that you will be able to use Stellar on, to possibly extract your info. Are you using the Bro parser?
On February 20, 2019 at 02:14:17, Farrukh Naveed Anjum ( [email protected]) wrote: Hi, I wanted to know how can I define and extract a field in parser from messages. With If It Exists like option For example. I am using Bro Syslog. Following is a sample data SYSLOG | severity:ERR uid:C5oe7F5SYMWqfVKKj id.orig_p:514 id.resp_p:514 proto:udp id.orig_h:10.2.2.1 message:Feb 20 12:11:18 suricata[72950]: [1:2000538:8] ET SCAN NMAP -sA (1) [Classification: Attempted Information Leak] [Priority: 2] {TCP} 74.125.133.189:443 -> 10.2.2.202:52012 facility:LOCAL5 ts:1550646678.442785 id.resp_h:172.16.4.18 >From Message Field, I want to extract Classification, Priority and TCP From -> To IPs. Can I make some kind of configurations in Bro Parser to get this information Back As *Classification* <String> *Priority* <String> *TCP* From <IP> *TCP* To <IP> Any guidance will be great help. -- With Regards Farrukh Naveed Anjum
