I am new to splunk and have been trying to set up my first transforms but I am having some issues. I was hoping to get some help.
Here is the scenario:
Given this data:
Time: 05/09-16:32:33.470574
event_ref: 0
22.1.11.254 -> 17.96.40.171 (portscan) TCP Portsweep
Priority Count: 3
Connection Count: 9
IP Count: 12
Scanned IP Range: 17.158.28.47:204.0.4.104
Port/Proto Count: 9
Port/Proto Range: 80:12350
And this transforms.conf
[snortPSVarious]
REGEX=(?m)(\d+.\d+.\d+.\d+)(\s+)(->\s+)(\d+.\d+.\d+.\d+\s+)(.*\R)
FORMAT=snortps_src_ip::$1 snortps_dir::$3 snortps_dst_ip::$4 snortps_type::$5
Problem: No matter what I try the snortps_type won't return "(portscan) TCP Portsweep".
It actually matches (in Splunk) the rest of the string. Oddly enough, when I test this SAME regex at:
http://gskinner.com/RegExr/
I would attach a screen shot but apparently I don't have enough "karma". 😉
Any thoughts out there?
Best,
-Roberto
... View more