-
Notifications
You must be signed in to change notification settings - Fork 55
/
snort.conf
117 lines (112 loc) · 3.49 KB
/
snort.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Author: Justin Henderson
# Email: [email protected]
# Last Update: 11/18/2015
#
# This conf file is based on accepting logs for snort
input {
udp {
port => 5141
type => snort
}
}
filter {
if [type] == "snort" {
# This is the initial parsing of the log
grok {
match => { "message" => "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+%{IPV4:SrcIp}:%{INT:SrcPort}\s+->\s+%{IPV4:DstIp}:%{INT:DstPort}%{GREEDYDATA:message}"}
}
# If you'd like to collect the DNS name for the SrcIP keep this section. Caution, this can cause an attacker to go into hiding.
# If you do not want reverse DNS lookups of IPs keep this uncommented.
#mutate {
# add_field => { "SrcIP-resolved" => "%{SrcIp}" }
#}
#dns {
# reverse => [ "[SrcIP-resolved]" ]
# action => "replace"
#}
# This will attempt to do a geoip lookup against the SrcIP
geoip {
source => "[SrcIp]"
target => "SrcGeo"
}
# If you'd like to collect the DNS name for the DstIP keep this section. Caution, this can cause an attacker to go into hiding.
# If you do not want reverse DNS lookups of IPs keep this uncommented.
#mutate {
# add_field => { "DstIP-resolved" => "%{DstIp}" }
#}
#dns {
# reverse => [ "[DstIP-resolved]" ]
# action => "replace"
#}
# This will attempt to do a geoip lookup against the DstIP
geoip {
source => "[DstIp]"
target => "DstGeo"
}
# If the alert is a Snort GPL alert break it apart for easier reading and categorization
if [alert] =~ "GPL " {
# This will parse out the category type from the alert
grok {
match => { "alert" => "GPL\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Snort GPL" }
lowercase => [ "category"]
}
}
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
if [alert] =~ "ET " {
# This will parse out the category type from the alert
grok {
match => { "alert" => "ET\s+%{DATA:category}\s" }
}
# This will store the category
mutate {
add_field => { "rule_type" => "Emerging Threats" }
lowercase => [ "category"]
}
}
# I recommend changing the field types below to integer so searches can do greater than or less than
# and also so math functions can be ran against them
mutate {
convert => [ "SrcPort", "integer" ]
convert => [ "DstPort", "integer" ]
remove_field => [ "message"]
}
# This will translate the priority field into a severity field of either High, Medium, or Low
if [priority] == 1 {
mutate {
add_field => { "severity" => "High" }
}
}
if [priority] == 2 {
mutate {
add_field => { "severity" => "Medium" }
}
}
if [priority] == 3 {
mutate {
add_field => { "severity" => "Low" }
}
}
# This section adds URLs to lookup information about a rule online
if [rule_type] == "Snort GPL" {
mutate {
add_field => [ "Signature_Info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
}
}
if [rule_type] == "Emerging Threats" {
mutate {
add_field => [ "Signature_Info", "http://doc.emergingthreats.net/%{sid}" ]
}
}
}
}
output {
if [type] == "snort" {
#stdout { codec => rubydebug }
elasticsearch {
}
}
}