From e9fdabf910dbbb27fa6cbfd8a5f32799d4d971dc Mon Sep 17 00:00:00 2001
From: Andrew <a@3ilson.com>
Date: Wed, 11 Sep 2019 07:09:12 -0400
Subject: [PATCH] Update pfv100.grok

Added capabilities to handle Snort data by swedishmike
---
 pfv100.grok | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pfv100.grok b/pfv100.grok
index 4e04e93..79dc54d 100644
--- a/pfv100.grok
+++ b/pfv100.grok
@@ -54,3 +54,6 @@ OPENVPN %{IP:vpn_src_ip}\:%{INT:vpn_src_port}%{SPACE}\[%{DATA:vpn_client}\]%{SPA
 
 # SURICATA
 SURICATA %{SPACE}\[%{NUMBER:ids_gen_id}:%{NUMBER:ids_sig_id}:%{NUMBER:ids_sig_rev}\]%{SPACE}%{GREEDYDATA:ids_desc}%{SPACE}\[Classification:%{SPACE}%{GREEDYDATA:ids_class}\]%{SPACE}\[Priority:%{SPACE}%{NUMBER:ids_pri}\]%{SPACE}{%{WORD:ids_proto}}%{SPACE}%{IP:ids_src_ip}:%{NUMBER:ids_src_port}%{SPACE}->%{SPACE}%{IP:ids_dest_ip}:%{NUMBER:ids_dest_port}
+
+# SNORT
+SNORT \[%{INT:ids_gen_id}\:%{INT:ids_sig_id}\:%{INT:ids_sig_rev}\].%{GREEDYDATA:ids_desc}.\[Classification\: %{DATA:ids_class}\].\[Priority\: %{INT:ids_pri}\].\{%{DATA:ids_proto}\}.%{IP:ids_src_ip}\:%{INT:ids_src_port}.->.%{IP:ids_dest_ip}\:%{INT:ids_dest_port}
-- 
GitLab