OK,
So the data you want is embedded inside the message field after parsing.
Syslog through bro is a generic format, it parses out the message, but
doesn’t parse the message part.
If you need to parse the message part out it will be more work.
ip dest and ip source are there for you
"ip_dst_addr": "172.16.4.18",
> "ip_src_addr": "10.2.2.1",
>
As for priority and classification, I think you can get the using two
stellar REGEXP_GROUP_VAL()
On February 26, 2019 at 00:41:47, Farrukh Naveed Anjum (
anjum.farr...@gmail.com) wrote:
If you are asking for Syslog from Bro following is
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path syslog
#open 2019-02-26-00-00-00
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto facility
severity message
#types time string addr port addr port enum string string string
1551121201.339249 CEyre817MtElGE642a 10.2.2.1 514 172.16.4.18 514 udp
LOCAL5 NOTICE Feb 26 00:00:01 suricata[1546]: [Drop] [1:51000003:0]
OPN_Social_Media - Facebook - DNS request for facebook.com [Classification:
Social-Media app detection by OPNsense] [Priority: 2] {UDP} 10.2.2.153:39445
-> 8.8.8.8:53
On Tue, Feb 26, 2019 at 10:32 AM Farrukh Naveed Anjum <
anjum.farr...@gmail.com> wrote:
> {
> "_index": "bro_index_2019.02.26.10",
> "_type": "bro_doc",
> "_id": "2ecb0750-00c5-4617-95d7-eeaba539d12d",
> "_version": 1,
> "_score": null,
> "_source": {
> "bro_timestamp": "1551159048.102709",
> "ip_dst_port": 514,
> "adapter:geoadapter:begin:ts": "1551159049014",
> "parallelenricher:enrich:end:ts": "1551159049017",
> "uid": "CEyre817MtElGE642a",
> "protocol": "syslog",
> "source:type": "bro",
> "adapter:threatinteladapter:end:ts": "1551159049016",
> "original_string": "SYSLOG | severity:NOTICE uid:CEyre817MtElGE642a
> id.orig_p:514 id.resp_p:514 proto:udp id.orig_h:10.2.2.1 message:Feb 26
> 10:30:48 suricata[1546]: [Drop] [1:51000003:0] OPN_Social_Media - Facebook
> - DNS request for facebook.com [Classification: Social-Media app
> detection by OPNsense] [Priority: 2] {UDP} 10.2.2.115:25269 -> 8.8.8.8:53
> facility:LOCAL5 ts:1551159048.102709 id.resp_h:172.16.4.18",
> "ip_dst_addr": "172.16.4.18",
> "adapter:hostfromjsonlistadapter:end:ts": "1551159049014",
> "adapter:geoadapter:end:ts": "1551159049015",
> "ip_src_addr": "10.2.2.1",
> "timestamp": 1551159048102,
> "severity": "NOTICE",
> "parallelenricher:enrich:begin:ts": "1551159049016",
> "adapter:hostfromjsonlistadapter:begin:ts": "1551159049014",
> "message": "Feb 26 10:30:48 suricata[1546]: [Drop] [1:51000003:0]
> OPN_Social_Media - Facebook - DNS request for facebook.com
> [Classification: Social-Media app detection by OPNsense] [Priority: 2]
> {UDP} 10.2.2.115:25269 -> 8.8.8.8:53",
> "parallelenricher:splitter:begin:ts": "1551159049016",
> "ip_src_port": 514,
> "proto": "udp",
> "parallelenricher:splitter:end:ts": "1551159049016",
> "adapter:threatinteladapter:begin:ts": "1551159049016",
> "guid": "2ecb0750-00c5-4617-95d7-eeaba539d12d",
> "facility": "LOCAL5"
> },
> "fields": {
> "parallelenricher:enrich:begin:ts": [
> 1551159049016
> ],
> "adapter:geoadapter:begin:ts": [
> 1551159049014
> ],
> "adapter:hostfromjsonlistadapter:begin:ts": [
> 1551159049014
> ],
> "parallelenricher:enrich:end:ts": [
> 1551159049017
> ],
> "parallelenricher:splitter:begin:ts": [
> 1551159049016
> ],
> "adapter:threatinteladapter:end:ts": [
> 1551159049016
> ],
> "adapter:hostfromjsonlistadapter:end:ts": [
> 1551159049014
> ],
> "parallelenricher:splitter:end:ts": [
> 1551159049016
> ],
> "adapter:threatinteladapter:begin:ts": [
> 1551159049016
> ],
> "adapter:geoadapter:end:ts": [
> 1551159049015
> ],
> "timestamp": [
> 1551159048102
> ]
> },
> "highlight": {
> "original_string": [
> "SYSLOG | severity:NOTICE uid:CEyre817MtElGE642a id.orig_p:514
> id.resp_p:514 proto:udp id.orig_h:10.2.2.1 message:Feb 26 10:30:48
> suricata[1546]: [Drop] [1:51000003:0] OPN_Social_Media - Facebook - DNS
> request for facebook.com [@kibana-highlighted-field@Classification
> @/kibana-highlighted-field@: Social-Media app detection by OPNsense]
> [Priority: 2] {UDP} 10.2.2.115:25269 -> 8.8.8.8:53 facility:LOCAL5
> ts:1551159048.102709 id.resp_h:172.16.4.18"
> ]
> },
> "sort": [
> 1551159048102
> ]
> }
>
> On Thu, Feb 21, 2019 at 8:00 PM Otto Fowler <ottobackwa...@gmail.com>
> wrote:
>
>> Can you find an instance of one of these logs in Kibana or ES and give us
>> a sanitized version of that?
>>
>>
>>
>> On February 21, 2019 at 02:55:09, Farrukh Naveed Anjum (
>> anjum.farr...@gmail.com) wrote:
>>
>> Hi this is the original event received to bro
>>
>> SYSLOG | *severity:*NOTICE uid:CN4kU02atBGK0qlA5g *id.orig_p*:514
>> *id.resp_p*:514 *proto*:udp id.orig_h:10.2.2.1 *message*:Feb 21 12:46:50
>> suricata[72280]: [Drop] [1:51000003:0] OPN_Social_Media - Facebook - DNS
>> request for facebook.com [Classification: Social-Media app detection by
>> OPNsense] [Priority: 2] {UDP} 10.2.2.236:11928 -> 114.114.114.114:53
>> *facility:*LOCAL5 ts:1550735210.67931 id.resp_h:172.16.4.18
>>
>>
>> All I am asking is to further extract *message*
>> Feb 21 12:46:50 suricata[72280]: [Drop] [1:51000003:0] OPN_Social_Media -
>> Facebook - DNS request for facebook.com [Classification: Social-Media
>> app detection by OPNsense] [Priority: 2] {UDP} 10.2.2.236:11928 ->
>> 114.114.114.114:53
>>
>> Following is the default parser for bro.
>> {
>> "parserClassName":"org.apache.metron.parsers.bro.BasicBroParser",
>> "filterClassName":null,
>> "sensorTopic":"bro",
>> "outputTopic":null,
>> "errorTopic":null,
>> "writerClassName":null,
>> "errorWriterClassName":null,
>> "readMetadata":false,
>> "mergeMetadata":false,
>> "numWorkers":null,
>> "numAckers":null,
>> "spoutParallelism":1,
>> "spoutNumTasks":1,
>> "parserParallelism":1,
>> "parserNumTasks":1,
>> "errorWriterParallelism":1,
>> "errorWriterNumTasks":1,
>> "spoutConfig":{
>>
>> },
>> "securityProtocol":null,
>> "stormConfig":{
>>
>> },
>> "parserConfig":{
>>
>> },
>> "fieldTransformations":[
>>
>> ],
>> "cacheConfig":{
>>
>> },
>> "rawMessageStrategy":"DEFAULT",
>> "rawMessageStrategyConfig":{
>>
>> }
>> }
>> Can you please tell me how can i extract *Classification*, *Priority*,
>> *UDP* (*From*) --> (*To*) IP.
>> How can I extract fields and apply the Parser Chaining in it ?
>>
>>
>>
>>
>>
>>
>> On Wed, Feb 20, 2019 at 10:08 PM Simon Elliston Ball <
>> si...@simonellistonball.com> wrote:
>>
>>> You might like to look into parser chaining for this:
>>> https://metron.apache.org/current-book/metron-platform/metron-parsers/ParserChaining.html
>>>
>>> Simon
>>>
>>> On 20 Feb 2019, at 16:47, Farrukh Naveed Anjum <anjum.farr...@gmail.com>
>>> wrote:
>>>
>>> Yes, I am using BRO Parser, Can I sub divide the *message* field
>>>
>>> On Wed, Feb 20, 2019 at 7:39 PM Otto Fowler <ottobackwa...@gmail.com>
>>> wrote:
>>>
>>>> Can you print what the fields are after parsing? These are the fields
>>>> that you will be able to use Stellar on, to possibly extract your info.
>>>> Are you using the Bro parser?
>>>>
>>>>
>>>> On February 20, 2019 at 02:14:17, Farrukh Naveed Anjum (
>>>> anjum.farr...@gmail.com) wrote:
>>>>
>>>> Hi,
>>>> I wanted to know how can I define and extract a field in parser from
>>>> messages. With If It Exists like option
>>>>
>>>> For example. I am using Bro Syslog. Following is a sample data
>>>>
>>>> SYSLOG | severity:ERR uid:C5oe7F5SYMWqfVKKj id.orig_p:514 id.resp_p:514
>>>> proto:udp id.orig_h:10.2.2.1 message:Feb 20 12:11:18 suricata[72950]:
>>>> [1:2000538:8] ET SCAN NMAP -sA (1) [Classification: Attempted
>>>> Information Leak] [Priority: 2] {TCP} 74.125.133.189:443 ->
>>>> 10.2.2.202:52012 facility:LOCAL5 ts:1550646678.442785
>>>> id.resp_h:172.16.4.18
>>>>
>>>> From Message Field, I want to extract Classification, Priority and TCP
>>>> From -> To IPs.
>>>>
>>>> Can I make some kind of configurations in Bro Parser to get this
>>>> information Back As
>>>>
>>>> *Classification* <String>
>>>> *Priority* <String>
>>>> *TCP* From <IP>
>>>> *TCP* To <IP>
>>>>
>>>> Any guidance will be great help.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> With Regards
>>>> Farrukh Naveed Anjum
>>>>
>>>>
>>>
>>> --
>>> With Regards
>>> Farrukh Naveed Anjum
>>>
>>>
>>
>> --
>> With Regards
>> Farrukh Naveed Anjum
>>
>>
>
> --
> With Regards
> Farrukh Naveed Anjum
>
--
With Regards
Farrukh Naveed Anjum
