Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Syslog Filter Assignment

From Aanval Wiki
Jump to: navigation, search

Syslog filters are assigned to pre-defined fields for console data normalization. Filters are defined in the Syslog Filter Assignment section of the Aanval console.

  • Ensure you select the proper sensor prior to assigning filters.
Date: used for date data normalization.
Time: used for time data normalization.
Risk Level: used to assign a risk level during the normalization process.
Source IP: used to assign identified IP addresses to the source field during import and normalization.
Destination IP: used to assign identified IP addresses to the destination field during import and normalization.
Source Port: used to assign port details to this field.
Destination Port: used to assign port details to this field.
Event Name: this field will be assigned a relevant event name from the matched syslog expression.
Category Name: this field will be assigned a relevant event category name string from the matched syslog expression.
Payload: this field should traditionally contain the entire syslog payload string, so that additional features of the console may remain effective (like string/text payload searching). Use .* as a regular expression filter to match the entire string.

Filters may be stacked, in which case each filter is applied to the syslog event string during normalization and in the event the filter does not return data, the next filter will be applied and so on. When a filter is applied and data is returned, filter matching ends for that field / filter.

An example would be to stack multiple date matching regular expression filters for a syslog source that produces inconsistent or varying date formats. Aanval will continue to process each filter until a match is found and data is returned.