{
"_index": "bro_index_2019.02.26.10",
"_type": "bro_doc",
"_id": "2ecb0750-00c5-4617-95d7-eeaba539d12d",
"_version": 1,
"_score": null,
"_source": {
"bro_timestamp": "1551159048.102709",
"ip_dst_port": 514,
"adapter:geoadapter:begin:ts": "1551159049014",
"parallelenricher:enrich:end:ts": "1551159049017",
"uid": "CEyre817MtElGE642a",
"protocol": "syslog",
"source:type": "bro",
"adapter:threatinteladapter:end:ts": "1551159049016",
"original_string": "SYSLOG | severity:NOTICE uid:CEyre817MtElGE642a
id.orig_p:514 id.resp_p:514 proto:udp id.orig_h:10.2.2.1 message:Feb 26
10:30:48 suricata[1546]: [Drop] [1:51000003:0] OPN_Social_Media - Facebook
- DNS request for facebook.com [Classification: Social-Media app detection
by OPNsense] [Priority: 2] {UDP} 10.2.2.115:25269 -> 8.8.8.8:53
facility:LOCAL5 ts:1551159048.102709 id.resp_h:172.16.4.18",
"ip_dst_addr": "172.16.4.18",
"adapter:hostfromjsonlistadapter:end:ts": "1551159049014",
"adapter:geoadapter:end:ts": "1551159049015",
"ip_src_addr": "10.2.2.1",
"timestamp": 1551159048102,
"severity": "NOTICE",
"parallelenricher:enrich:begin:ts": "1551159049016",
"adapter:hostfromjsonlistadapter:begin:ts": "1551159049014",
"message": "Feb 26 10:30:48 suricata[1546]: [Drop] [1:51000003:0]
OPN_Social_Media - Facebook - DNS request for facebook.com [Classification:
Social-Media app detection by OPNsense] [Priority: 2] {UDP} 10.2.2.115:25269
-> 8.8.8.8:53",
"parallelenricher:splitter:begin:ts": "1551159049016",
"ip_src_port": 514,
"proto": "udp",
"parallelenricher:splitter:end:ts": "1551159049016",
"adapter:threatinteladapter:begin:ts": "1551159049016",
"guid": "2ecb0750-00c5-4617-95d7-eeaba539d12d",
"facility": "LOCAL5"
},
"fields": {
"parallelenricher:enrich:begin:ts": [
1551159049016
],
"adapter:geoadapter:begin:ts": [
1551159049014
],
"adapter:hostfromjsonlistadapter:begin:ts": [
1551159049014
],
"parallelenricher:enrich:end:ts": [
1551159049017
],
"parallelenricher:splitter:begin:ts": [
1551159049016
],
"adapter:threatinteladapter:end:ts": [
1551159049016
],
"adapter:hostfromjsonlistadapter:end:ts": [
1551159049014
],
"parallelenricher:splitter:end:ts": [
1551159049016
],
"adapter:threatinteladapter:begin:ts": [
1551159049016
],
"adapter:geoadapter:end:ts": [
1551159049015
],
"timestamp": [
1551159048102
]
},
"highlight": {
"original_string": [
"SYSLOG | severity:NOTICE uid:CEyre817MtElGE642a id.orig_p:514
id.resp_p:514 proto:udp id.orig_h:10.2.2.1 message:Feb 26 10:30:48
suricata[1546]: [Drop] [1:51000003:0] OPN_Social_Media - Facebook - DNS
request for facebook.com [@kibana-highlighted-field@Classification
@/kibana-highlighted-field@: Social-Media app detection by OPNsense]
[Priority: 2] {UDP} 10.2.2.115:25269 -> 8.8.8.8:53 facility:LOCAL5
ts:1551159048.102709 id.resp_h:172.16.4.18"
]
},
"sort": [
1551159048102
]
}
On Thu, Feb 21, 2019 at 8:00 PM Otto Fowler <[email protected]> wrote:
> Can you find an instance of one of these logs in Kibana or ES and give us
> a sanitized version of that?
>
>
>
> On February 21, 2019 at 02:55:09, Farrukh Naveed Anjum (
> [email protected]) wrote:
>
> Hi this is the original event received to bro
>
> SYSLOG | *severity:*NOTICE uid:CN4kU02atBGK0qlA5g *id.orig_p*:514
> *id.resp_p*:514 *proto*:udp id.orig_h:10.2.2.1 *message*:Feb 21 12:46:50
> suricata[72280]: [Drop] [1:51000003:0] OPN_Social_Media - Facebook - DNS
> request for facebook.com [Classification: Social-Media app detection by
> OPNsense] [Priority: 2] {UDP} 10.2.2.236:11928 -> 114.114.114.114:53
> *facility:*LOCAL5 ts:1550735210.67931 id.resp_h:172.16.4.18
>
>
> All I am asking is to further extract *message*
> Feb 21 12:46:50 suricata[72280]: [Drop] [1:51000003:0] OPN_Social_Media -
> Facebook - DNS request for facebook.com [Classification: Social-Media app
> detection by OPNsense] [Priority: 2] {UDP} 10.2.2.236:11928 ->
> 114.114.114.114:53
>
> Following is the default parser for bro.
> {
> "parserClassName":"org.apache.metron.parsers.bro.BasicBroParser",
> "filterClassName":null,
> "sensorTopic":"bro",
> "outputTopic":null,
> "errorTopic":null,
> "writerClassName":null,
> "errorWriterClassName":null,
> "readMetadata":false,
> "mergeMetadata":false,
> "numWorkers":null,
> "numAckers":null,
> "spoutParallelism":1,
> "spoutNumTasks":1,
> "parserParallelism":1,
> "parserNumTasks":1,
> "errorWriterParallelism":1,
> "errorWriterNumTasks":1,
> "spoutConfig":{
>
> },
> "securityProtocol":null,
> "stormConfig":{
>
> },
> "parserConfig":{
>
> },
> "fieldTransformations":[
>
> ],
> "cacheConfig":{
>
> },
> "rawMessageStrategy":"DEFAULT",
> "rawMessageStrategyConfig":{
>
> }
> }
> Can you please tell me how can i extract *Classification*, *Priority*,
> *UDP* (*From*) --> (*To*) IP.
> How can I extract fields and apply the Parser Chaining in it ?
>
>
>
>
>
>
> On Wed, Feb 20, 2019 at 10:08 PM Simon Elliston Ball <
> [email protected]> wrote:
>
>> You might like to look into parser chaining for this:
>> https://metron.apache.org/current-book/metron-platform/metron-parsers/ParserChaining.html
>>
>> Simon
>>
>> On 20 Feb 2019, at 16:47, Farrukh Naveed Anjum <[email protected]>
>> wrote:
>>
>> Yes, I am using BRO Parser, Can I sub divide the *message* field
>>
>> On Wed, Feb 20, 2019 at 7:39 PM Otto Fowler <[email protected]>
>> wrote:
>>
>>> Can you print what the fields are after parsing? These are the fields
>>> that you will be able to use Stellar on, to possibly extract your info.
>>> Are you using the Bro parser?
>>>
>>>
>>> On February 20, 2019 at 02:14:17, Farrukh Naveed Anjum (
>>> [email protected]) wrote:
>>>
>>> Hi,
>>> I wanted to know how can I define and extract a field in parser from
>>> messages. With If It Exists like option
>>>
>>> For example. I am using Bro Syslog. Following is a sample data
>>>
>>> SYSLOG | severity:ERR uid:C5oe7F5SYMWqfVKKj id.orig_p:514 id.resp_p:514
>>> proto:udp id.orig_h:10.2.2.1 message:Feb 20 12:11:18 suricata[72950]:
>>> [1:2000538:8] ET SCAN NMAP -sA (1) [Classification: Attempted
>>> Information Leak] [Priority: 2] {TCP} 74.125.133.189:443 ->
>>> 10.2.2.202:52012 facility:LOCAL5 ts:1550646678.442785
>>> id.resp_h:172.16.4.18
>>>
>>> From Message Field, I want to extract Classification, Priority and TCP
>>> From -> To IPs.
>>>
>>> Can I make some kind of configurations in Bro Parser to get this
>>> information Back As
>>>
>>> *Classification* <String>
>>> *Priority* <String>
>>> *TCP* From <IP>
>>> *TCP* To <IP>
>>>
>>> Any guidance will be great help.
>>>
>>>
>>>
>>>
>>>
>>> --
>>> With Regards
>>> Farrukh Naveed Anjum
>>>
>>>
>>
>> --
>> With Regards
>> Farrukh Naveed Anjum
>>
>>
>
> --
> With Regards
> Farrukh Naveed Anjum
>
>
--
With Regards
Farrukh Naveed Anjum
