Private GIT

Skip to content
Snippets Groups Projects
Unverified Commit f036821a authored by Andrew's avatar Andrew Committed by GitHub
Browse files

Update pf-09.2019.grok

Elastic Common Schema (ECS)
parent 9528aa73
Branches
Tags
No related merge requests found
...@@ -9,21 +9,21 @@ ...@@ -9,21 +9,21 @@
# Edited 30 Apr 2019 by Mike Eriksson <mike@swedishmike.org> # Edited 30 Apr 2019 by Mike Eriksson <mike@swedishmike.org>
PF_LOG_ENTRY %{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}? PF_LOG_ENTRY %{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}?
PF_LOG_DATA %{INT:rule},%{INT:sub_rule}?,,%{INT:tracker},%{DATA:iface},%{WORD:reason},%{WORD:action},%{WORD:direction}, PF_LOG_DATA %{INT:event.code},%{INT:sub_rule}?,,%{INT:tracker},%{DATA:interface},%{WORD:event.outcome},%{WORD:event.action},%{WORD:network.direction},
PF_IP_DATA %{INT:length},%{IP:src_ip},%{IP:dest_ip}, PF_IP_DATA %{INT:length},%{IP:source.ip},%{IP:destination.ip},
PF_IP_SPECIFIC_DATA %{PF_IPv4_SPECIFIC_DATA}|%{PF_IPv6_SPECIFIC_DATA} PF_IP_SPECIFIC_DATA %{PF_IPv4_SPECIFIC_DATA}|%{PF_IPv6_SPECIFIC_DATA}
PF_IPv4_SPECIFIC_DATA (?<ip_ver>(4)),%{BASE16NUM:tos},%{WORD:ecn}?,%{INT:ttl},%{INT:id},%{INT:offset},%{WORD:flags},%{INT:proto_id},%{WORD:proto}, PF_IPv4_SPECIFIC_DATA (?<network.type>(4)),%{BASE16NUM:tos},%{WORD:ecn}?,%{INT:ttl},%{INT:event.id},%{INT:offset},%{WORD:flags},%{INT:network.transport_id},%{WORD:network.transport},
PF_IPv6_SPECIFIC_DATA (?<ip_ver>(6)),%{BASE16NUM:IPv6_Flag1},%{WORD:IPv6_Flag2},%{WORD:flow_label},%{WORD:proto_type},%{INT:proto_id}, PF_IPv6_SPECIFIC_DATA (?<network.type>(6)),%{BASE16NUM:IPv6_Flag1},%{WORD:IPv6_Flag2},%{WORD:flow_label},%{WORD:proto_type},%{INT:network.iana_number},
PF_PROTOCOL_DATA %{PF_UDP_DATA}|%{PF_TCP_DATA}|%{PF_ICMP_DATA}|%{PF_IGMP_DATA}|%{PF_IPv6_VAR}|%{PF_IPv6_ICMP} PF_PROTOCOL_DATA %{PF_UDP_DATA}|%{PF_TCP_DATA}|%{PF_ICMP_DATA}|%{PF_IGMP_DATA}|%{PF_IPv6_VAR}|%{PF_IPv6_ICMP}
PF_UDP_DATA %{INT:src_port},%{INT:dest_port},%{INT:data_length} PF_UDP_DATA %{INT:source.port},%{INT:destination.port},%{INT:network.packets}
PF_TCP_DATA %{INT:src_port},%{INT:dest_port},%{INT:data_length},%{WORD:tcp_flags},%{INT:sequence_number},%{INT:ack_number},%{INT:tcp_window},%{DATA:urg_data},%{GREEDYDATA:tcp_options} PF_TCP_DATA %{INT:source.port},%{INT:destination.port},%{INT:network.packets},%{WORD:tcp_flags},%{INT:sequence_number},%{INT:ack_number},%{INT:tcp_window},%{DATA:urg_data},%{GREEDYDATA:tcp_options}
PF_IGMP_DATA datalength=%{INT:data_length} PF_IGMP_DATA datalength=%{INT:network.packets}
PF_ICMP_DATA %{PF_ICMP_TYPE},%{PF_ICMP_RESPONSE} PF_ICMP_DATA %{PF_ICMP_TYPE},%{PF_ICMP_RESPONSE}
PF_ICMP_TYPE (?<icmp_type>(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply)), PF_ICMP_TYPE (?<icmp_type>(request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply)),
PF_ICMP_RESPONSE %{PF_ICMP_ECHO_REQ_REPLY}|%{PF_ICMP_UNREACHPORT}| %{PF_ICMP_UNREACHPROTO}|%{PF_ICMP_UNREACHABLE}|%{PF_ICMP_NEED_FLAG}|%{PF_ICMP_TSTAMP}|%{PF_ICMP_TSTAMP_REPLY} PF_ICMP_RESPONSE %{PF_ICMP_ECHO_REQ_REPLY}|%{PF_ICMP_UNREACHPORT}| %{PF_ICMP_UNREACHPROTO}|%{PF_ICMP_UNREACHABLE}|%{PF_ICMP_NEED_FLAG}|%{PF_ICMP_TSTAMP}|%{PF_ICMP_TSTAMP_REPLY}
PF_ICMP_ECHO_REQ_REPLY %{INT:icmp_echo_id},%{INT:icmp_echo_sequence} PF_ICMP_ECHO_REQ_REPLY %{INT:icmp_echo_id},%{INT:icmp_echo_sequence}
PF_ICMP_UNREACHPORT %{IP:icmp_unreachport_dest_ip},%{WORD:icmp_unreachport_protocol},%{INT:icmp_unreachport_port} PF_ICMP_UNREACHPORT %{IP:icmp_unreachport_destination.ip},%{WORD:icmp_unreachport_protocol},%{INT:icmp_unreachport_port}
PF_ICMP_UNREACHPROTO %{IP:icmp_unreach_dest_ip},%{WORD:icmp_unreachproto_protocol} PF_ICMP_UNREACHPROTO %{IP:icmp_unreach_destination.ip},%{WORD:icmp_unreach_network.transport}
PF_ICMP_UNREACHABLE %{GREEDYDATA:icmp_unreachable} PF_ICMP_UNREACHABLE %{GREEDYDATA:icmp_unreachable}
PF_ICMP_NEED_FLAG %{IP:icmp_need_flag_ip},%{INT:icmp_need_flag_mtu} PF_ICMP_NEED_FLAG %{IP:icmp_need_flag_ip},%{INT:icmp_need_flag_mtu}
PF_ICMP_TSTAMP %{INT:icmp_tstamp_id},%{INT:icmp_tstamp_sequence} PF_ICMP_TSTAMP %{INT:icmp_tstamp_id},%{INT:icmp_tstamp_sequence}
...@@ -51,10 +51,10 @@ PF_APP_ERROR webConfigurator (%{DATA:pf_ACTION}) for \'(%{DATA:pf_USER})\' from ...@@ -51,10 +51,10 @@ PF_APP_ERROR webConfigurator (%{DATA:pf_ACTION}) for \'(%{DATA:pf_USER})\' from
PF_APP_GEN (%{GREEDYDATA:pf_ACTION}) PF_APP_GEN (%{GREEDYDATA:pf_ACTION})
# OPENVPN # OPENVPN
OPENVPN %{IP:vpn_src_ip}\:%{INT:vpn_src_port}%{SPACE}\[%{DATA:vpn_client}\]%{SPACE}Peer%{SPACE}Connection%{SPACE}Initiated%{SPACE}with%{GREEDYDATA} OPENVPN %{IP:vpn_source.ip}\:%{INT:vpn_source.port}%{SPACE}\[%{DATA:vpn_client}\]%{SPACE}Peer%{SPACE}Connection%{SPACE}Initiated%{SPACE}with%{GREEDYDATA}
# SURICATA # SURICATA
SURICATA %{SPACE}\[%{NUMBER:ids_gen_id}:%{NUMBER:ids_sig_id}:%{NUMBER:ids_sig_rev}\]%{SPACE}%{GREEDYDATA:ids_desc}%{SPACE}\[Classification:%{SPACE}%{GREEDYDATA:ids_class}\]%{SPACE}\[Priority:%{SPACE}%{NUMBER:ids_pri}\]%{SPACE}{%{WORD:ids_proto}}%{SPACE}%{IP:ids_src_ip}:%{NUMBER:ids_src_port}%{SPACE}->%{SPACE}%{IP:ids_dest_ip}:%{NUMBER:ids_dest_port} SURICATA %{SPACE}\[%{NUMBER:ids_gen_id}:%{NUMBER:ids_sig_id}:%{NUMBER:ids_sig_rev}\]%{SPACE}%{GREEDYDATA:ids_desc}%{SPACE}\[Classification:%{SPACE}%{GREEDYDATA:ids_class}\]%{SPACE}\[Priority:%{SPACE}%{NUMBER:ids_pri}\]%{SPACE}{%{WORD:ids_network.transport}}%{SPACE}%{IP:ids_source.ip}:%{NUMBER:ids_source.port}%{SPACE}->%{SPACE}%{IP:ids_destination.ip}:%{NUMBER:ids_destination.port}
# SNORT # SNORT
SNORT \[%{INT:ids_gen_id}\:%{INT:ids_sig_id}\:%{INT:ids_sig_rev}\].%{GREEDYDATA:ids_desc}.\[Classification\: %{DATA:ids_class}\].\[Priority\: %{INT:ids_pri}\].\{%{DATA:ids_proto}\}.%{IP:ids_src_ip}\:%{INT:ids_src_port}.->.%{IP:ids_dest_ip}\:%{INT:ids_dest_port} SNORT \[%{INT:ids_gen_id}\:%{INT:ids_sig_id}\:%{INT:ids_sig_rev}\].%{GREEDYDATA:ids_desc}.\[Classification\: %{DATA:ids_class}\].\[Priority\: %{INT:ids_pri}\].\{%{DATA:ids_network.transport}\}.%{IP:ids_source.ip}\:%{INT:ids_source.port}.->.%{IP:ids_destination.ip}\:%{INT:ids_destination.port}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment