mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-01-01 13:53:18 +01:00
22 lines
1022 B
Plaintext
22 lines
1022 B
Plaintext
# Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Updated by: Doug Burks
|
|
# Last Update: 5/15/2017
|
|
#
|
|
# This conf file is based on accepting logs for smtp.log from Bro systems
|
|
filter {
|
|
if [type] == "bro_smtp" {
|
|
grok {
|
|
match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<helo>(.*?))\t(?<mail_from>(.*?))\t(?<recipient_to>(.*?))\t(?<mail_date>(.*?))\t(?<from>(.*?))\t(?<to>(.*?))\t(?<cc>(.*?))\t(?<reply_to>(.*?))\t(?<message_id>(.*?))\t(?<in_reply_to>(.*?))\t(?<subject>(.*?))\t(?<x_originating_ip>(.*?))\t(?<first_received>(.*))\t(?<second_received>(.*))\t(?<last_reply>(.*))\t(?<path>(.*))\t(?<useragent>(.*))\t(?<tls>(.*))\t(?<fuids>(.*))\t(?<is_webmail>(.*))" ]
|
|
}
|
|
if [useragent] == "-" {
|
|
mutate {
|
|
remove_field => [ "useragent" ]
|
|
}
|
|
}
|
|
mutate {
|
|
#add_tag => [ "conf_file_1112"]
|
|
}
|
|
}
|
|
}
|