# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. snort_standalone_mmdd = { plugin_version = "1.0.1" # Initial creation - 1.0 # 2011-07-19 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Sourcefire" info.1.device = "Snort (standalone, mm/dd dates)" info.1.version.1 = "" # The name of the log format log.format.format_label = "Snort Log Format (standalone, mm/dd dates)" log.miscellaneous.log_data_type = "network" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[0-9][0-9]/[0-9][0-9]-[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\\.[0-9][0-9][0-9][0-9][0-9][0-9] [0-9.:A-F]+ -> [0-9.:A-F]+" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "mm/dd" log.format.time_format = "hh:mm:ss" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time source_host = { label = "$lang_stats.field_labels.source_host" type = "host" index = 0 subindex = 0 hierarchy_dividers = "." left_to_right = false leading_divider = "false" } # source_host destination_host = { label = "$lang_stats.field_labels.destination_host" type = "flat" index = 0 subindex = 0 } # destination_host source_port = { label = "$lang_stats.field_labels.source_port" type = "flat" index = 0 subindex = 0 } # source_port destination_port = { label = "$lang_stats.field_labels.destination_port" type = "flat" index = 0 subindex = 0 } # destination_port event = { label = "$lang_stats.field_labels.event" type = "flat" index = 0 subindex = 0 } # event protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol classification = { label = "$lang_stats.field_labels.classification" type = "flat" index = 0 subindex = 0 } # classification priority = { label = "$lang_stats.field_labels.priority" type = "flat" index = 0 subindex = 0 } # priority type = { label = "$lang_stats.field_labels.type" type = "flat" index = 0 subindex = 0 } # type code = { label = "$lang_stats.field_labels.code" type = "flat" index = 0 subindex = 0 } # code xref = { label = "$lang_stats.field_labels.xref" type = "flat" index = 0 subindex = 0 } # xref ttl = { label = "$lang_stats.field_labels.ttl" type = "flat" index = 0 subindex = 0 } # ttl tos = { label = "$lang_stats.field_labels.tos" type = "flat" index = 0 subindex = 0 } # tos id = { label = "$lang_stats.field_labels.id" type = "flat" index = 0 subindex = 0 } # id iplen = { label = "$lang_stats.field_labels.iplen" type = "flat" index = 0 subindex = 0 } # iplen dmglen = { label = "$lang_stats.field_labels.dmglen" type = "flat" index = 0 subindex = 0 } # dmglen seq = { label = "$lang_stats.field_labels.seq" type = "flat" index = 0 subindex = 0 } # seq ack = { label = "$lang_stats.field_labels.ack" type = "flat" index = 0 subindex = 0 } # ack win = { label = "$lang_stats.field_labels.win" type = "flat" index = 0 subindex = 0 } # win tcplen = { label = "$lang_stats.field_labels.tcplen" type = "flat" index = 0 subindex = 0 } # tcplen from = { label = "$lang_stats.field_labels.from" type = "flat" index = 0 subindex = 0 } # from to = { label = "$lang_stats.field_labels.to" type = "flat" index = 0 subindex = 0 } # to } # log.fields # # Log Parsing Filters log.parsing_filters = { # Parse out header 1 = { label = "1" comment = "" value = "collect_fields_using_regexp('^()^\\\\[\\\\*\\\\*\\\\] *\\\\[[^]]*\\\\]* (.*) \\\\[\\\\*\\\\*\\\\]$', '*KEY*,event')" } # 1 # Parse out header with interface 2 = { label = "2" comment = "" value = "collect_fields_using_regexp('^()^\\\\[\\\\*\\\\*\\\\] *\\\\[[^]]*\\\\]* +<([^>]+)> (.*) \\\\[\\\\*\\\\*\\\\]$', '*KEY*,interface,event')" } # 2 # Parse out Classification line 3 = { label = "3" comment = "" value = "collect_fields_using_regexp('^()\\\\[Classification: ([^]]*)\\\\] \\\\[Priority: ([0-9]*)\\\\]', '*KEY*,classification,priority')" } # 3 # Parse out the date/time, from, to 4 = { label = "4" comment = "" value = "collect_fields_using_regexp('^()([0-9][0-9]/[0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9])\\\\.[0-9][0-9][0-9][0-9][0-9][0-9] ([^ ]*) -> ([^ ]*)', '*KEY*,date,time,from,to')" } # 4 # Parse out the date/time, IPs, and ports 5 = { label = "5" comment = "" value = "collect_fields_using_regexp('^()([0-9][0-9]/[0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9])\\\\.[0-9][0-9][0-9][0-9][0-9][0-9] ([^:]*):*([0-9]*) -> ([^:]*):*([0-9]*)$', '*KEY*,date,time,source_host,source_port,destination_host,destination_port')" } # 5 # Parse out the TCP/ICMP/UDP line 6 = { label = "6" comment = "" value = "collect_fields_using_regexp('()(TCP|ICMP|UDP) TTL:([0-9]*) TOS:([^ ]*) ID:([0-9]*) IpLen:([0-9]*) DgmLen:([0-9]*)', '*KEY*,protocol,ttl,tos,id,iplen,dgmlen')" } # 6 # Parse out the source IP destination IP in datagram dump line 7 = { label = "7" comment = "" value = "collect_fields_using_regexp('^()([0-9.]*):([0-9]*) -> ([0-9.]*):([0-9]*)', '*KEY*,source_host,source_port,destination_host,destination_port')" } # 7 # Parse out the source IP destination IP when port is not present (e.g., ICMP) 7a = { label = "7a" comment = "" value = "collect_fields_using_regexp('^()([0-9.]*) -> ([0-9.]*)', '*KEY*,source_host,destination_host')" } # 7a # Parse out the Seq: line 8 = { label = "8" comment = "" value = "collect_fields_using_regexp('^()Seq: ([^ ]*) *Ack: ([^ ]*)$', '*KEY*,seq,ack')" } # 8 # Parse out the ***AP*** line 9 = { label = "9" comment = "" value = "collect_fields_using_regexp('() Seq: ([^ ]*) *Ack: ([^ ]*) *Win: ([^ ]*) *TcpLen: ([0-9]*)', '*KEY*,seq,ack,win,tcplen')" } # 9 # Parse out type & len 10 = { label = "10" comment = "" value = "collect_fields_using_regexp('()type:([^ ]*) *len:([^ ]*)$', '*KEY*,type,len')" } # 10 # Parse out the Type line 11 = { label = "11" comment = "" value = "collect_fields_using_regexp('^()Type:([0-9]*) *Code:([0-9]*)', '*KEY*,type,code')" } # 11 # Parse out another kind of Type line 12 = { label = "12" comment = "" value = "collect_fields_using_regexp('^()Type:([0-9]*) *Code:([0-9]*) *ID:([0-9]*) *Seq:([0-9]*)', '*KEY*,type,code,id,seq')" } # 12 # Parse out the Xref line 13 = { label = "13" comment = "" value = "collect_fields_using_regexp('^()\\\\[Xref => (.*)$', '*KEY*,xref')" } # 13 # Accept this log entry when we see ORIGINAL DATAGRAM DUMP 14 = { label = "14" comment = "" value = "accept_collected_entry_using_regexp('()ORIGINAL DATAGRAM DUMP:', true)" } # 14 # Parse out DATAGRAM DUMP: line 15 = { label = "15" comment = "" value = "collect_fields_using_regexp('() (ORIGINAL DATAGRAM DUMP)', '*KEY*,event')" } # 15 # Accept this log entry when we get to the blank line after it 16 = { label = "16" comment = "" value = "accept_collected_entry_using_regexp('^()$', false)" } # 16 } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day source_host = { label = "$lang_stats.field_labels.source_host" log_field = "source_host" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_host destination_host = { label = "$lang_stats.field_labels.destination_host" log_field = "destination_host" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_host source_port = { label = "$lang_stats.field_labels.source_port" log_field = "source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_port destination_port = { label = "$lang_stats.field_labels.destination_port" log_field = "destination_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_port event = { label = "$lang_stats.field_labels.event" log_field = "event" type = "string" suppress_top = 0 suppress_bottom = 2 } # event protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol classification = { label = "$lang_stats.field_labels.classification" log_field = "classification" type = "string" suppress_top = 0 suppress_bottom = 2 } # classification priority = { label = "$lang_stats.field_labels.priority" log_field = "priority" type = "string" suppress_top = 0 suppress_bottom = 2 } # priority type = { label = "$lang_stats.field_labels.type" log_field = "type" type = "string" suppress_top = 0 suppress_bottom = 2 } # type code = { label = "$lang_stats.field_labels.code" log_field = "code" type = "string" suppress_top = 0 suppress_bottom = 2 } # code xref = { label = "$lang_stats.field_labels.xref" log_field = "xref" type = "string" suppress_top = 0 suppress_bottom = 2 } # xref ttl = { label = "$lang_stats.field_labels.ttl" log_field = "ttl" type = "string" suppress_top = 0 suppress_bottom = 2 } # ttl tos = { label = "$lang_stats.field_labels.tos" log_field = "tos" type = "string" suppress_top = 0 suppress_bottom = 2 } # tos id = { label = "$lang_stats.field_labels.id" log_field = "id" type = "string" suppress_top = 0 suppress_bottom = 2 } # id ack = { label = "$lang_stats.field_labels.ack" log_field = "ack" type = "string" suppress_top = 0 suppress_bottom = 2 } # ack win = { label = "$lang_stats.field_labels.win" log_field = "win" type = "string" suppress_top = 0 suppress_bottom = 2 } # win from = { label = "$lang_stats.field_labels.from" log_field = "from" type = "string" suppress_top = 0 suppress_bottom = 2 } # from to = { label = "$lang_stats.field_labels.to" log_field = "to" type = "string" suppress_top = 0 suppress_bottom = 2 } # to } # database.fields database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields log.filters = { remove_parentheses = "event = replace_first(replace_first(event, '(', '['), ')', ']')" mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { date_time_tracking = true host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_host = true destination_host = true source_port = true destination_port = true event = true protocol = true classification = true priority = true type = true code = true xref = true ttl = true tos = true id = true ack = true win = true from = true to = true } # report_groups } # create_profile_wizard_options not_supported = { sessions = true pageviews = true bandwidth = true visitors = true } # not_supported } # snort_standalone_mmdd