mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
26 lines
1.5 KiB
Plaintext
26 lines
1.5 KiB
Plaintext
{
|
|
"description" : "sguild_nids",
|
|
"processors" : [
|
|
{
|
|
"dissect": {
|
|
"field": "message",
|
|
"pattern" : "%{} %{} %{} Alert Received: %{} %{priority} %{classification} %{interface} {%{alerttime}} %{} %{} {%{alert}} %{source_ip} %{destination_ip} %{protocol} %{source_port} %{destination_port} %{gid} %{sid} %{rev} ",
|
|
"on_failure": [ { "drop" : { } } ]
|
|
}
|
|
},
|
|
{ "set": { "if": "ctx.protocol == '1'", "field": "protocol", "value": "ICMP" } },
|
|
{ "set": { "if": "ctx.protocol == '6'", "field": "protocol", "value": "TCP" } },
|
|
{ "set": { "if": "ctx.protocol == '17'", "field": "protocol", "value": "UDP" } },
|
|
{ "remove": { "if": "ctx.source_ip == '{}'", "field": "source_ip" } },
|
|
{ "remove": { "if": "ctx.destination_ip == '{}'", "field": "destination_ip" } },
|
|
{ "remove": { "if": "ctx.protocol == '{}'", "field": "protocol" } },
|
|
{ "remove": { "if": "ctx.source_port == '{}'", "field": "source_port" } },
|
|
{ "remove": { "if": "ctx.destination_port == '{}'", "field": "destination_port" } },
|
|
{ "set": { "field": "type", "value": "snort" } },
|
|
{ "rename": { "field": "@timestamp", "target_field": "timestamp", "ignore_missing": true } },
|
|
{ "date": { "field": "alerttime", "target_field": "@timestamp", "formats": ["yyyy-MM-dd HH:mm:ss"], "ignore_failure": true } },
|
|
{ "remove": { "field": "alerttime", "ignore_missing": true } },
|
|
{ "pipeline": { "name": "common_nids" } }
|
|
]
|
|
}
|