{
  "description" : "sguild_nids",
  "processors" : [
    { 
	"dissect": {
		"field": "message",
		"pattern" : "%{} %{} %{}  Alert Received: %{} %{priority} %{classification} %{interface} {%{alerttime}} %{} %{} {%{alert}} %{source_ip} %{destination_ip} %{protocol} %{source_port} %{destination_port} %{gid} %{sid} %{rev} ",
		"on_failure": [ { "drop" : { } } ]
	}
    },
    { "set":		{ "if": "ctx.protocol == '1'",		"field": "protocol", "value": "ICMP"							} },
    { "set":		{ "if": "ctx.protocol == '6'",		"field": "protocol", "value": "TCP" 							} },
    { "set":		{ "if": "ctx.protocol == '17'",		"field": "protocol", "value": "UDP" 							} },
    { "remove":		{ "if": "ctx.source_ip == '{}'",  	"field": "source_ip"									} },
    { "remove":		{ "if": "ctx.destination_ip == '{}'", 	"field": "destination_ip"								} },
    { "remove":		{ "if": "ctx.protocol == '{}'", 	"field": "protocol"									} },
    { "remove":		{ "if": "ctx.source_port == '{}'",  	"field": "source_port"									} },
    { "remove":		{ "if": "ctx.destination_port == '{}'", "field": "destination_port"								} },
    { "set":		{ "field": "type", "value": "snort" 												} },
    { "rename":		{ "field": "@timestamp",	"target_field": "timestamp",						"ignore_missing": true  } },
    { "date":		{ "field": "alerttime",		"target_field": "@timestamp",	"formats": ["yyyy-MM-dd HH:mm:ss"],	"ignore_failure": true  } },
    { "remove":		{ "field": "alerttime",											"ignore_missing": true  } },
    { "pipeline": 	{ "name": "common_nids" 													} }
  ]
}