Created
August 6, 2016 10:45
-
-
Save Caligatio/1c1ef69dd720186cfacf95c1cd8ea85d to your computer and use it in GitHub Desktop.
iptables Grok Pattern
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# GROK Custom Patterns (add to patterns directory and reference in GROK filter for iptables events): | |
# GROK Patterns for iptables Logging Format | |
# | |
# Created 6 Aug 2016 by Brian Turek <brian.turek@gmail.com> | |
# Most of this was taken from another source but now I cannot find it for credit | |
# | |
# Usage: Use the IPTABLES pattern | |
NETFILTERMAC %{MAC:dest_mac}:%{MAC:src_mac}:%{ETHTYPE:ethtype} | |
ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2})) | |
IPTABLES_ETHERNET IN=%{DATA:iface}? OUT=%{DATA:oface}? MAC=%{NETFILTERMAC}? | |
IPTABLES_PORT_PAIR SPT=%{INT:src_port} DPT=%{INT:dest_port} | |
IPTABLES_TCP_FLAGS ((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))* | |
IPTABLES_TCP_SEQ SEQ=%{INT:sequence_number} ACK=%{INT:ack_number} | |
IPTABLES_TCP_DETAILS (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{INT:tcp_window} RES=%{BASE16NUM:res} %{IPTABLES_TCP_FLAGS:tcp_flags} | |
IPTABLES_INCOMPLETE_PACKET INCOMPLETE \[%{INT:incomplete} bytes\] | |
IPTABLES_UDP_DETAILS LEN=%{INT:data_length} | |
IPTABLES_ICMP_EXTRA_ECHO ID=%{INT:icmp_echo_id} SEQ=%{INT:icmp_echo_sequence} | |
IPTABLES_ICMP_EXTRA_PARAM PARAMETER=%{INT:icmp_parameter} | |
IPTABLES_ICMP_EXTRA_REDIRECT GATEWAY=%{IP:icmp_redirect} | |
IPTABLES_ICMP_EXTRA ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))* | |
IPTABLES_ICMP_DETAILS TYPE=%{INT:icmp_type} CODE=%{INT:icmp_code}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA}) | |
IPTABLES_ICMP_NESTED \[%{IPTABLES_IP_START}%{IPTABLES_IP_STDPROTOCOLS}\s*\] | |
IPTABLES_PROTOCOL PROTO=%{WORD:proto} | |
IPTABLES_IP_PAYLOAD %{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))? | |
IPTABLES_IP_FRAGFLAG ((?<= )(CE|DF|MF))* | |
IPTABLES_IP_START SRC=%{IP:src_ip} DST=%{IP:dest_ip} LEN=%{INT:length} TOS=%{BASE16NUM:tos} PREC=%{BASE16NUM:prec} TTL=%{INT:ttl} ID=%{INT:id}(?: %{IPTABLES_IP_FRAGFLAG:flags})?(?: FRAG: %{INT:fragment})? | |
IPTABLES_IP %{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD} | |
IPTABLES %{IPTABLES_ETHERNET} %{IPTABLES_IP} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you very much! This could save me a lot of time in the future!