Yes, I am using BRO Parser, Can I sub divide the *message* field On Wed, Feb 20, 2019 at 7:39 PM Otto Fowler <[email protected]> wrote:
> Can you print what the fields are after parsing? These are the fields > that you will be able to use Stellar on, to possibly extract your info. > Are you using the Bro parser? > > > On February 20, 2019 at 02:14:17, Farrukh Naveed Anjum ( > [email protected]) wrote: > > Hi, > I wanted to know how can I define and extract a field in parser from > messages. With If It Exists like option > > For example. I am using Bro Syslog. Following is a sample data > > SYSLOG | severity:ERR uid:C5oe7F5SYMWqfVKKj id.orig_p:514 id.resp_p:514 > proto:udp id.orig_h:10.2.2.1 message:Feb 20 12:11:18 suricata[72950]: > [1:2000538:8] ET SCAN NMAP -sA (1) [Classification: Attempted Information > Leak] [Priority: 2] {TCP} 74.125.133.189:443 -> 10.2.2.202:52012 > facility:LOCAL5 ts:1550646678.442785 id.resp_h:172.16.4.18 > > From Message Field, I want to extract Classification, Priority and TCP > From -> To IPs. > > Can I make some kind of configurations in Bro Parser to get this > information Back As > > *Classification* <String> > *Priority* <String> > *TCP* From <IP> > *TCP* To <IP> > > Any guidance will be great help. > > > > > > -- > With Regards > Farrukh Naveed Anjum > > -- With Regards Farrukh Naveed Anjum
