Skip to content

Commit 4aa8efb

Browse files
Copilotbuixor
Copilot
and
buixor
authored
fix(suricata-fastlogs): use Priority field instead of GID for suricata_rule_severity (#1782)
* Initial plan * fix: suricata-fastlogs parser uses Priority instead of GID for severity Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/a23b50a7-3796-4d0b-8c72-1de02a7e5972 Co-authored-by: buixor <990714+buixor@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: buixor <990714+buixor@users.noreply.github.com>
1 parent ed21aee commit 4aa8efb

2 files changed

Lines changed: 16 additions & 16 deletions

File tree

.tests/suricata-logs-fastlog/parser.assert

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -37,14 +37,14 @@ results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["program"]
3737
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["source_ip"] == "2.57.122.209"
3838
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["suricata_alert_signature"] == "SURICATA TCPv4 invalid checksum"
3939
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["suricata_classification"] == "Generic Protocol Command Decode"
40-
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["suricata_rule_severity"] == "1"
40+
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["suricata_gid"] == "1"
4141
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["date"] == "07/11/2022"
4242
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["message"] == "07/11/2022-10:29:01.860293 [**] [1:2200074:2] SURICATA TCPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 2.57.122.209:28487 -> 172.31.18.55:80"
4343
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["suricata_alert_signature_rev"] == "2"
4444
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["time"] == "10:29:01.860293"
4545
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Parsed["dest_ip"] == "172.31.18.55"
4646
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Meta["suricata_alert_signature_id"] == "2200074"
47-
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Meta["suricata_rule_severity"] == "1"
47+
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Meta["suricata_rule_severity"] == "3"
4848
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Meta["datasource_path"] == "suricata-logs-fastlog.log"
4949
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Meta["datasource_type"] == "file"
5050
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][0].Evt.Meta["log_type"] == "suricata_alert"
@@ -62,7 +62,7 @@ results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Parsed["source_po
6262
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Parsed["suricata_classification"] == "Attempted Information Leak"
6363
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Parsed["source_ip"] == "89.248.163.216"
6464
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Parsed["suricata_alert_signature"] == "ET SCAN Sipvicious Scan"
65-
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Parsed["suricata_rule_severity"] == "1"
65+
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Parsed["suricata_gid"] == "1"
6666
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Parsed["date"] == "07/11/2022"
6767
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Parsed["program"] == "suricata-fastlogs"
6868
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Parsed["rule_id"] == "2008578"
@@ -74,7 +74,7 @@ results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Meta["service"] =
7474
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Meta["source_ip"] == "89.248.163.216"
7575
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Meta["sub_log_type"] == "suricata_alert_fast_log"
7676
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Meta["suricata_alert_signature_id"] == "2008578"
77-
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Meta["suricata_rule_severity"] == "1"
77+
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Meta["suricata_rule_severity"] == "2"
7878
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][1].Evt.Meta["datasource_path"] == "suricata-logs-fastlog.log"
7979
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Success == true
8080
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Parsed["proto"] == "TCP"
@@ -92,13 +92,13 @@ results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Parsed["suricata_
9292
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Parsed["message"] == "07/11/2022-08:36:12.345430 [**] [1:2034567:1] ET HUNTING curl User-Agent to Dotted Quad [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 172.31.18.55:57194 -> 169.254.169.254:80"
9393
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Parsed["source_ip"] == "172.31.18.55"
9494
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Parsed["source_port"] == "57194"
95-
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Parsed["suricata_rule_severity"] == "1"
95+
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Parsed["suricata_gid"] == "1"
9696
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Meta["log_type"] == "suricata_alert"
9797
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Meta["service"] == "suricata"
9898
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Meta["source_ip"] == "172.31.18.55"
9999
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Meta["sub_log_type"] == "suricata_alert_fast_log"
100100
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Meta["suricata_alert_signature_id"] == "2034567"
101-
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Meta["suricata_rule_severity"] == "1"
101+
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Meta["suricata_rule_severity"] == "2"
102102
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Meta["datasource_path"] == "suricata-logs-fastlog.log"
103103
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][2].Evt.Meta["datasource_type"] == "file"
104104
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][3].Success == true
@@ -117,7 +117,7 @@ results["s01-parse"]["crowdsecurity/suricata-fastlogs"][3].Evt.Parsed["dest_port
117117
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][3].Evt.Parsed["rule_id"] == "2034125"
118118
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][3].Evt.Parsed["source_port"] == "36288"
119119
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][3].Evt.Parsed["suricata_alert_signature_rev"] == "4"
120-
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][3].Evt.Parsed["suricata_rule_severity"] == "1"
120+
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][3].Evt.Parsed["suricata_gid"] == "1"
121121
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][3].Evt.Meta["service"] == "suricata"
122122
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][3].Evt.Meta["source_ip"] == "185.7.214.104"
123123
results["s01-parse"]["crowdsecurity/suricata-fastlogs"][3].Evt.Meta["sub_log_type"] == "suricata_alert_fast_log"
@@ -130,7 +130,7 @@ len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4
130130
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
131131
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["date"] == "07/11/2022"
132132
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["suricata_priority"] == "3"
133-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["suricata_rule_severity"] == "1"
133+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["suricata_gid"] == "1"
134134
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["dest_ip"] == "172.31.18.55"
135135
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["rule_id"] == "2200074"
136136
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["source_port"] == "28487"
@@ -151,7 +151,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"]
151151
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["sub_log_type"] == "suricata_alert_fast_log"
152152
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "suricata"
153153
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["suricata_alert_signature_id"] == "2200074"
154-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["suricata_rule_severity"] == "1"
154+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["suricata_rule_severity"] == "3"
155155
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2022-07-11T10:29:01.860293Z"
156156
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2022-07-11T10:29:01.860293Z"
157157
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
@@ -170,15 +170,15 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["suricata_
170170
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_ip"] == "89.248.163.216"
171171
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["source_port"] == "5116"
172172
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["date"] == "07/11/2022"
173-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["suricata_rule_severity"] == "1"
173+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["suricata_gid"] == "1"
174174
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"] == "suricata-logs-fastlog.log"
175175
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "suricata_alert"
176176
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "suricata"
177177
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["sub_log_type"] == "suricata_alert_fast_log"
178178
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file"
179179
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "89.248.163.216"
180180
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["suricata_alert_signature_id"] == "2008578"
181-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["suricata_rule_severity"] == "1"
181+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["suricata_rule_severity"] == "2"
182182
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2022-07-11T10:29:32.251216Z"
183183
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2022-07-11T10:29:32.251216Z"
184184
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
@@ -191,7 +191,7 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["suricata_
191191
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["dest_port"] == "80"
192192
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["suricata_alert_signature"] == "ET HUNTING curl User-Agent to Dotted Quad"
193193
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["suricata_alert_signature_rev"] == "1"
194-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["suricata_rule_severity"] == "1"
194+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["suricata_gid"] == "1"
195195
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["suricata_classification"] == "Potentially Bad Traffic"
196196
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["suricata_timestamp"] == "07/11/2022 08:36:12.345430"
197197
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["date"] == "07/11/2022"
@@ -206,13 +206,13 @@ results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"]
206206
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2022-07-11T08:36:12.34543Z"
207207
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "172.31.18.55"
208208
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["sub_log_type"] == "suricata_alert_fast_log"
209-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["suricata_rule_severity"] == "1"
209+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["suricata_rule_severity"] == "2"
210210
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2022-07-11T08:36:12.34543Z"
211211
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
212212
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "07/11/2022-06:09:52.602489 [**] [1:2034125:4] ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 185.7.214.104:36288 -> 172.31.18.55:80"
213213
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["suricata_alert_signature_rev"] == "4"
214214
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["suricata_priority"] == "1"
215-
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["suricata_rule_severity"] == "1"
215+
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["suricata_gid"] == "1"
216216
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "suricata-fastlogs"
217217
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["rule_id"] == "2034125"
218218
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["source_port"] == "36288"

parsers/s01-parse/crowdsecurity/suricata-logs.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ description: "Parse suricata fast.log"
55
pattern_syntax:
66
SURICATA_MARKER: '\[\*\*\]'
77
SURICATA_DATE: '%{DATE_US:date}-%{TIME:time}'
8-
SURICATA_RULE_ID: '\[%{NUMBER:suricata_rule_severity}:%{NUMBER:rule_id}:%{NUMBER:suricata_alert_signature_rev}\]'
8+
SURICATA_RULE_ID: '\[%{NUMBER:suricata_gid}:%{NUMBER:rule_id}:%{NUMBER:suricata_alert_signature_rev}\]'
99
grok:
1010
pattern: '%{SURICATA_DATE} %{SURICATA_MARKER} %{SURICATA_RULE_ID} %{DATA:suricata_alert_signature} %{SURICATA_MARKER} \[Classification: %{DATA:suricata_classification}\] \[Priority: %{NUMBER:suricata_priority}\] \{%{DATA:proto}\} %{IP:source_ip}:%{NUMBER:source_port} \-> %{IP:dest_ip}:%{NUMBER:dest_port}'
1111
apply_on: message
@@ -24,7 +24,7 @@ statics:
2424
- meta: suricata_alert_signature_id
2525
expression: evt.Parsed.rule_id
2626
- meta: suricata_rule_severity
27-
expression: evt.Parsed.suricata_rule_severity
27+
expression: evt.Parsed.suricata_priority
2828
- meta: source_ip
2929
expression: evt.Parsed.source_ip
3030
---

0 commit comments

Comments
 (0)