Network Intrusion Systems - Snort

Intrusion Detection Systems

• Collection - software of appliance

• Analysis - people

• Escalation - processes

[Link] 2
Intrusion Detection Systems
• NIDS - network-based intrusion detection system

• HIDS - host-based intrusion detection system

• DIDS - distributed intrusion detection system

[Link] 3
Intrusion Detection Systems
Types of IDSs

• Signature-Based Intrusion Detection

• Heuristic Intrusion Detection

[Link] 4
 NIDS
• Monitors entire network (or network segment)
• Operates in promiscuous or non-promiscuous mode
• Inline or offline mode

[Link] 5
 HIDS
• Granular configuration of end-points
• Centralized management

[Link] 6
 DIDS
• Centralized collector

[Link] 7
 Be aware of
• False positives - alert is triggered on legitimate traffic
where no intrusion or attack is occurred

• False negatives - failure to trigger an alert when

actual attack is underway

• Tune your out-of-box IDS

[Link] 8
IDS will do
• continuously watch packets
• understand them
• almost immediate alerting
• identify attack trends and patterns
• block the suspicious traffic

[Link] 9
SNORT
• "sniffer and more"
• almost 20 y.o
• first version had 2 files
• rule-based analyzer

[Link] 10
Snort's architecture

• sniffer
• preprocessor
• detection engine
• output

[Link] 11
Installing Snort
Most of the Linux software can be installed in 2 ways

• from the source - more complex way

• from repository - pre/post installation scripts

[Link] 12
Installing Snort
Login to [Link].32.4 with root user

[Link] 13
Installing Snort
Verify your system is up-to-date

• apt-get update && apt-get upgrade

[Link] 14
Installing Snort
Install Snort from repository
• apt-get install snort

[Link] 15
Installing Snort
By default, Snort offers 'eth0' network interface. Be
sure you set correct one. For Ubuntu server it should
be 'ens160'

[Link] 16
Installing Snort
Set proper local network range during installation.
Set address range to your network: [Link].32.0/24
Multiple networks must be comma-separated.

[Link] 17
Installing Snort
Verify you have correct network interface - ens160

[Link] 18
Installing Snort
If Snort installed successfully, then you should not see
any error messages after installation

[Link] 19
Installing Snort
Before continuing with Snort setup, we have to verify
its configuration.
Snort's configuration file located in
'/etc/snort/[Link]'
Open Snort configuration file in text editor and review
variables 'HOME_NET' and 'EXTERNAL_NET'

[Link] 20
Installing Snort
In case 'HOME_NET' variable set to 'any', change it to
your network range

Or you can change it in terminal with 'sed' command

• sed -i 's|^ipvar HOME_NET any|ipvar HOME_NET
[Link].32.0/24|' /etc/snort/[Link]

[Link] 21
Installing Snort
Best way to understand how Snort rules work, is to
disable all rules
• sed -i "s/include \$RULE\_PATH/#include
\$RULE\_PATH/" /etc/snort/[Link]

[Link] 22
Installing Snort
Verify Snort installation
• snort -V

[Link] 23
Installing Snort
Check paths for Snort rules in '/etc/snort/[Link]'
Following paths are correct ones
▪ var RULE_PATH /etc/snort/rules
▪ var SO_RULE_PATH /etc/snort/so_rules
▪ var PREPROC_RULE_PATH /etc/snort/preproc_rules
• grep 'RULE_PATH ' /etc/snort/[Link]

[Link] 24
Installing Snort
Adjust Snort logging settings in '/etc/snort/[Link]'

Replace line "output unified2: filename [Link], limit

128, nostamp, mpls_event_types, vlan_event_types"

With "output unified2: filename snort.u2, limit 128"

[Link] 25
Installing Snort
Use sed one-liner to make changes
• sed -i "/^output unified2/coutput unified2:
filename snort.u2, limit 128" /etc/snort/[Link]

Check new configuration

• grep '^output unified2' /etc/snort/[Link]

[Link] 26
Installing Snort
Since we disabled all Snort rules, we have to enable
custom rule's location in '/etc/snort/[Link]'
Uncomment line '#include $RULE_PATH/[Link]'

Remove '#' sign from beginning of the line

[Link] 27
Installing Snort
Or in your terminal use sed one-liner

• sed -i 's/#include \$RULE_PATH\/[Link]/include

\$RULE_PATH\/[Link]/' /etc/snort/[Link]

[Link] 28
Installing Snort
It is important to archive Snort's logs
Create new folder for archived logs
• mkdir /var/log/snort/archived_logs

Set proper permissions to the folder

• chown snort:snort /var/log/snort/archived_logs
Verify folder and its permissions
• ls -lad /var/log/snort/archived_logs/

[Link] 29
Installing Snort
Create additional Snort folders
• mkdir /etc/snort/preproc_rules
• mkdir /etc/snort/so_rule

Set correct ownership recursively

• chown -R snort:snort /etc/snort
• chown -R snort:snort /var/log/snort
• chown -R snort:snort /usr/lib/snort_dynamicrules

[Link] 30
Verify Snort installation
After Snort configuration changes, we have to verify,
that configuration file does not have any errors.
Be sure to set correct network interface name
• snort -T -c /etc/snort/[Link] -i ens160

[Link] 31
Verify Snort installation
If Snort's configuration file has some issues, you will
see an error

Snort configuration checker is pretty smart and in most

of the cases it shows exactly where's configuration
errors. In this example, error is on line 571 and
unknown rule type 'iinclude' defined

[Link] 32
Verify Snort installation
Fix your Snorts configuration file
'/etc/snort/[Link]' and re-run configuration tester
• snort -T -c /etc/snort/[Link] -i ens160

If message 'Snort successfully validated the

configuration!' appears on your screen, that means
Snort has valid configuration.

[Link] 33
Snort - rules
Snort configuration tester command also shows rule
statistics.
Since we disabled all the rules, you will see all zeros in
'Rule Port Counts' block

[Link] 34
Snort - rules
Now, let's add new custom Snort rule.
Open in text editor custom rule configuration file
• vi /etc/snort/rules/[Link]

Add simple "ping" rule to the end of file:

• alert icmp any any -> $HOME_NET any (msg:"ICMP test
detected"; GID:1; sid:10000001; rev:001; classtype:icmp-
event;)

Note! Snort rule format will be explained later

[Link] 35
Snort - rules
Or you can use your Linux terminal shell

• echo 'alert icmp any any -> $HOME_NET any

(msg:"ICMP test detected"; GID:1; sid:10000001;
rev:001; classtype:icmp-event;)' >>
/etc/snort/rules/[Link]

[Link] 36
Snort - rules
Next, we have to create Snort ID mapping.

Open SID mapping file '/etc/snort/[Link]' and

add following file to the end of file

1 || 10000001 || 001 || icmp-event || 0 || ICMP Test

detected || url,[Link]/html/rfc792

[Link] 37
Snort - rules
Or you can use your Linux terminal shell

• echo '1 || 10000001 || 001 || icmp-event || 0 ||

ICMP Test detected ||
url,[Link]/html/rfc792' >> /etc/snort/sid-
[Link]

[Link] 38
Snort - rules
To verify, that Snort accepted new rule we have to run
configuration checker:
• snort -T -c /etc/snort/[Link] -i ens160

Since we added 1 'icmp' type rule to any sources, you

should see '1' on 'icmp' column

[Link] 39
Snort - rules
Let's test our first Snort rule

If number of rules correct and no error shown, start

Snort in console mode
• snort -A console -q -u snort -g snort -c
/etc/snort/[Link] -i ens160

Note! At this stage you will not see any output on the
screen

[Link] 40
Snort - rules
Now ping Snort server from remote machine.
If Snort configured properly and rule is correct, then
you should see on console 'ICMP test detected'
messages

[Link] 41
Snort - rules
Congratulations!

You have properly configured Snort, created new

custom rule and verified, that Snort is working.

[Link] 42
Reading Snort logs

• it's binary format

• keep it efficient (write binary)

• not to miss traffic

[Link] 43
Barnyard2 installation
Open-source interpreter for Snort unified binary output
files.

Barnyard2 reads Snort's binary logs and inserts them in

the MySQL database for further analysis.

[Link] 44
Barnyard2 installation
Firstly, we must install required software
• apt-get install mysql-server libmysqlclient-dev
mysql-client autoconf libtool libdumbnet-dev
libpcap-dev make libdaq-dev libdnet-dev libphp-
adodb libdnet

[Link] 45
Barnyard2 installation
During MySQL database installation, installer script might
prompt for new password (3 times). For test environment,
we can leave empty password

Note! In production environment it's advised to set strong

password for MySQL root user

[Link] 46
Barnyard2 installation
Before downloading and installing Barnyard2, following
steps must be done
• ln -s /usr/include/dumbnet.h /usr/include/dnet.h
• mkdir -p /opt/snort
Download Barnyard2 from Github
• cd /opt/snort
• git clone [Link]

[Link] 47
Barnyard2 installation
Change to Barnyard2 source code folder
• cd barnyard2/

Prepare Barnyard2 for compilation

• ./[Link]

[Link] 48
Barnyard2 installation
Prepare Barnyard2 for compilation
• ./configure --with-mysql --with-mysql-
libraries=/usr/lib/x86_64-linux-gnu

Verify, that no errors shown at the end of output

[Link] 49
Barnyard2 installation
Compile Barnyard2
• make

Verify, that no errors shown at the end of output

[Link] 50
Barnyard2 installation
Install Barnyard2 (you must be root user)
• make install

Verify, that no errors shown at the end of output

[Link] 51
Barnyard2 installation
After compilation and installation of Barnyard2, we
have to verify installation
• /usr/local/bin/barnyard2 -V

[Link] 52
Barnyard2 installation
Since Barnyard2 is used with Snort, we have copy
configuration file to Snort's directory

• cp /usr/local/etc/[Link] /etc/snort/

[Link] 53
Barnyard2 installation
Barnyard2 must have some files and folder in place

• mkdir /var/log/barnyard2
• chown snort:snort /var/log/barnyard2

• touch /var/log/snort/[Link]
• chown snort:snort /var/log/snort/[Link]

[Link] 54
Barnyard2 configuration
By default, Barnyard2 logging is disabled.
Let enable logging in main configuration file
'/etc/snort/[Link]'
Open configuration file in text editor, uncomment
'config logdir' option and set correct path to it
• config logdir: /var/log/barnyard2

[Link] 55
Barnyard2 configuration
Or use 'sed' one-liner

• sed -i 's/#config logdir: \/tmp/config logdir:

\/var\/log\/barnyard2/' /etc/snort/[Link]

[Link] 56
Barnyard2 configuration
Barnyard2 provides logging ability to different database
types.

Since we will be using MySQL database, we have to setup

corresponding logging options.

Open Barnyard2 configuration file

'/etc/snort/[Link]' in text editor and configure
database options
output database: log, mysql, user=snort password=sn0rt
dbname=snort host=localhost

[Link] 57
Barnyard2 configuration
Or use sed one-liner
• echo 'output database: log, mysql, user=snort
password=sn0rt dbname=snort host=localhost' >>
/etc/snort/[Link]

Since the password is stored in cleartext in the

[Link] file, we should prevent other users
from reading it, by removing read permissions
• chmod o-r /etc/snort/[Link]

[Link] 58
Barnyard2 configuration
Since Barnyard2 saves alerts to MySQL database, we
need to create that database, as well as a ‘snort’
MySQL user to access that database
Login to MySQL database with root user
• mysql -u root -p

[Link] 59
Barnyard2 configuration
Create new database 'snort' in MySQL
• create database snort;

Now switch to new 'snort' database

• use snort;

[Link] 60
Barnyard2 configuration
Create required tables by running SQL script
• source /opt/snort/barnyard2/schemas/create_mysql

Note! You should not see any errors at the end script output

[Link] 61
Barnyard2 configuration
Create MySQL user for Barnyard2

• CREATE USER 'snort'@'localhost' IDENTIFIED BY

'sn0rt';

[Link] 62
Barnyard2 configuration
Allow MySQL 'snort' user only to access 'snort'
database with limited permissions
• grant create, insert, select, delete, update on
snort.* to 'snort'@'localhost';

Apply new user settings and exit MySQL database

• flush privileges;
• exit;

[Link] 63
Running Barnyard2
First run of Barnyard2
• barnyard2 -c /etc/snort/[Link] -d
/var/log/snort -f snort.u2 -w
/var/log/snort/[Link] -u snort -g snort

If no error displayed, quit Barnyard2 by pressing Ctrl+C

[Link] 64
Finalizing Barnyard2
By default, Barnyard2 will not start automatically on boot time. Let's
create auto-startup script. Save following content to
'/lib/systemd/system/[Link]' file

[Unit]
Description=Barnyard2 Daemon
After=[Link] [Link]
[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/[Link] -d
/var/log/snort -f snort.u2 -q -w /var/log/snort/[Link] -u
snort -g snort -D -a /var/log/snort/archived_logs
[Install]
WantedBy=[Link]

[Link] 65
Finalizing Barnyard2
Let's fetch startup script from the server and save it to
correct location
• wget [Link] -O
/lib/systemd/system/[Link]

[Link] 66
Finalizing Barnyard2
Reload
• systemctl daemon-reload
Enable autostart of Barnyard2
• systemctl enable barnyard2

Start Barnyard2
• systemctl start barnyard2

[Link] 67
Finalizing Barnyard2
Verify Barnyard2 is running
• systemctl status barnyard2

[Link] 68
Finalizing Barnyard2
Now let's verify that Snort is generating alerts based on
current rules and Barnyard2 is importing alerts into
MySQL database.
Restart Snort and Barnyard2 services
• service snort restart
• service barnyard2 restart

Send from remote machine several ping packets

• ping -c 3 [Link].32.4

[Link] 69
Finalizing Barnyard2
Check that MySQL database has events in 'event' table.
Type in Linux terminal following command
• mysql -u snort -p -D snort -e "select count(*) from
event"

If count greater than 0, then Snort and Barnyard2 are

properly installed and configured.

[Link] 70
BASE - Snort Web GUI
BASE is a simple web GUI for Snort.
BASE stands for Basic Analysis and Security Engine

[Link] 71
BASE - ADOdb installation
BASE relies on ADOdb (database abstraction library for
PHP).
Let's install ADOdb
• cd /opt/snort
• wget
'[Link]
b-php5-only/adodb-520-for-php5/adodb-
[Link]'

[Link] 72
BASE - ADOdb installation
Extract ADOdb source
• tar -xzf [Link]

Move ADOdb source to '/var/adodb' folder

• mv adodb5 /var/adodb

Set recursively proper permissions

• chmod -R 755 /var/adodb

[Link] 73
BASE - install Apache
BASE requires a web server with PHP support.
We will install Apache web server.
Add Apache2 and PHP version 5.6 repository
• add-apt-repository ppa:ondrej/php

[Link] 74
BASE - install Apache
After adding new repositories, you must update them
• apt-get update

[Link] 75
BASE - install Apache
Install Apache web server and PHP. Additional PHP
modules also must be installed
• apt-get install apache2 libapache2-mod-php5.6
php5.6-mysql php5.6-cli php5.6 php5.6-common
php5.6-gd php5.6-cli php-pear php5.6-xml

[Link] 76
BASE - install Apache
To verify Apache web server is running and PHP
scripting language is working, we have to create a
simple PHP file

• echo '<?php phpinfo(); ?>' >

/var/www/html/[Link]

[Link] 77
BASE - install Apache
Open in your browser IP address of Snort BASE system
'[Link]

[Link] 78
BASE - Installation
Navigate to '/opt/snort' folder
• cd /opt/snort
Download latest version of BASE source code
• wget
[Link]
ASE/base-1.4.5/[Link]

[Link] 79
BASE - Installation
Extract downloaded archive
• tar xzf [Link]

Move extracted folder for web server folder

• mv base-1.4.5 /var/www/html/base/

Change working directory to new location

• cd /var/www/html/base

[Link] 80
BASE - Installation
Copy sample configuration file 'base_conf.[Link]' to
'base_conf.php'
• cp base_conf.[Link] base_conf.php

Install Image_Graph PHP extension (you may ignore

warnings)
• pear install -f --alldeps Image_Graph

[Link] 81
BASE - Configuration
Before using BASE, we need to adjust configuration
option in '/var/www/html/base/base_conf.php'
Remove ' DejaVuSans' font from variable
• $graph_font_name = "";

Or use sed one-liner to change the configuration option

• sed -i 's/"DejaVuSans"/""/g'
/var/www/html/base/base_conf.php

[Link] 82
BASE - Configuration
Next steps are to define URL for BASE web application,
set correct location for ADOdb and adjust MySQL
options in BASE configuration file
'/var/www/html/base/base_conf.php'
$BASE_urlpath = '/base';
$DBlib_path = '/var/adodb';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = 'sn0rt';

[Link] 83
BASE - Configuration
Fetch file from server and save it to correct location
• wget [Link] -O
/var/www/html/base/base_conf.php

[Link] 84
BASE - Configuration
To finalize BASE installation, restart Apache web server
• service apache2 restart

Open in your browser IP address of Snort BASE system

'[Link]

[Link] 85
First run BASE
Before using BASE system, MySQL database must be
prepared. Click 'Setup page' link on main page

[Link] 86
First run BASE
Click on the "Create BASE AG" button on the upper
right part of the page.

[Link] 87
First run BASE
Script will automatically create all required tables and
populate them with required data

[Link] 88
Putting all together
Main view of BASE system

[Link] 89
Putting all together
Click on the number next to 'Total Number of Alerts'

[Link] 90
Putting all together
Click on the number next to 'Total Number of Alerts'

[Link] 91
Snort rules
Simple Snort rule structure is very straightforward:
alert ip any any -> any any (msg: "IP Packet
detected";)
• alert - generate an alert if criteria met for captured
packet
• ip - protocol type (ip, tcp, udp, icmp)
• any - source IP address
• any - source port (IP layer do not consider ports)

[Link] 92
Snort rules
Simple Snort rule structure is very straightforward:
alert ip any any -> any any (msg: "IP Packet
detected";)
• -> - direction of packet
• any - destination IP address
• any - destination port
• msg - message that will be logged

[Link] 93
Snort rules
Sources and destinations:
• [Link]/32
• [Link]/24
• $HOME_NET, $EXTERNAL_NET (from [Link])
• [[Link]/24,[Link]/24]
• ![[Link]/24,[Link]/23]

[Link] 94
Snort rules
Ports:

• 80
• 1024:2000
• !53

[Link] 95
Snort rules - classtypes
Rules can have classifications and priorities

Check /etc/snort/[Link]
config classification: http-event,Generic HTTP event,3
• http-event - name for classification
• Generic HTTP event - description of classification
• 3 - priority (lower number - higher priority)

[Link] 96
Snort rules - classtypes
Setting classtype to the rule:

• alert tcp any any -> [Link]/24 8080 (msg:"POST

data"; content:"POST"; classtype:http-post-data;)

Changing priority of alert:

• alert tcp any any -> [Link]/24 8080 (msg:"POST
data"; content: "POST"; classtype:http-post-data;
priority 1;)

[Link] 97
Snort rules - SID
Snort ID - rule identificator for output modules

• 0-99 - reserved and not used

• 100-1000000 - reserved by Snort
• 1000000 and above - IDs for local/custom rules

Try to keep unique ID for each configured alert.

[Link] 98
Writing Snort rules
Let's create new rule in /etc/snort/rules/[Link]

• echo 'alert tcp any any -> [Link].32.0/24 any

(msg:"Custom content detected"; content:"ABCD";
sid:10000011; rev:001; classtype:custom-content;)'
>> /etc/snort/rules/[Link]

Be sure to set correct network range!

[Link] 99
Writing Snort rules
Now we need to add new classification to
'/etc/snort/[Link]' file

• echo 'config classification: custom-content, Custom

content detected,1' >>
/etc/snort/[Link]

[Link] 100
Writing Snort rules
Create SID for new Snort rule in '/etc/snort/sid-
[Link]'

• echo '1 || 10000011 || 001 || custom-content || 0

|| Custom content found' >> /etc/snort/sid-
[Link]

• echo '10000011 || Custom_content found sid-msg'

>> /etc/snort/[Link]

[Link] 101
Writing Snort rules
To apply new rule, classification and SID mapping data
we have to restart 'Snort' and 'Barnyard2'

• service snort restart

• service barnyard2 restart

[Link] 102
Writing Snort rules
Verify that new rule is added to Snort
• snort -T -c /etc/snort/[Link] -i ens160

[Link] 103
Writing Snort rules
Now let's test the rule. Open in browser your Snort
machine's IP address and type in any where in URL
'ABCD'
[Link]

[Link] 104
Writing Snort rules
Now open BASE system in your browser and check new
events by clicking number next to 'Total Number of
Alerts'

[Link] 105
Writing Snort rules
Verify that new rule is added to Snort
• snort -T -c /etc/snort/[Link] -i ens160

[Link] 106
Writing Snort rules
Snort has hundreds of predefined rules.
Check '/etc/snort/rules' folder for examples
• ls -la /etc/snort/rules

[Link] 107
Filebeat - Snort logs
By default, Snort logs in binary format.
Let's configure Snort to write alerts in plain text files.
Open /etc/snort/[Link] file and add following line
• output alert_fast: [Link]

Or use following one-liner to append configuration to

the end of Snort's configuration file
• echo 'output alert_fast: [Link]' >>
/etc/snort/[Link]

[Link] 108
Filebeat - Snort logs
By default, many Linux servers have so-called 'message
reduction' option enabled in Rsyslog service.
This parameter specifies whether or not repeated
messages should be reduced.
Let's turn off message reduction and then verify results
• sed -i -e
"s/\$RepeatedMsgReduction.*/\$RepeatedMsgRed
uction off/" /etc/[Link]
• grep -i reduction /etc/[Link]

[Link] 109
Filebeat - Snort logs
After 2 last modifications, we have to restart 2 services:
rsyslogd and snort

• service rsyslog restart

• service snort restart

[Link] 110
Filebeat - Snort logs
Enable Snort Filebeat module
• filebeat modules enable snort

Setup Snort logs in Filebeat

Restart Filebeat service

• service filebeat restart

[Link] 111
Filebeat - Snort logs
Ping Snort machine from your laptop
• ping [Link].32.4

And open in your browser following page

• [Link]

[Link] 112
Filebeat - Snort logs
Now access Graylog's web interface and check the logs

[Link] 113
Filebeat - Snort logs
If you have complex Filebeat setup, then it's advised to
set tags to different logs

[Link] 114
Filebeat - Snort logs
Then in Graylog's search query will be following:
• filebeat_tags:snort

You can combine tags in more complex ways

• filebeat_tags:(snort OR nginx) AND NOT
filebeat_tags:(system OR mysql)

[Link] 115
Filebeat - Snort logs
Then in Graylog's search query will be following:
• filebeat_tags:snort

You can combine tags in more complex ways

• filebeat_tags:(snort OR nginx) AND NOT
filebeat_tags:(system OR mysql)

[Link] 116
Filebeat - Snort logs
Snort alerts can differ, based on the protocol used.
For ICMP alerts, there're no source or destination
ports.
But for TCP and/or UDP alerts - there're source and
destination ports.

[Link] 117
Filebeat - Snort logs
Compare two Snort alerts:
03/02-[Link].974874 [**] [1:10000011:1]
Custom content detected [**] [Classification:
Custom content detected] [Priority: 1] {TCP}
[Link]:1284 -> [Link]:80

03/02-[Link].368497 [**] [1:10000001:1]

ICMP test detected [**] [Classification:
Generic ICMP event] [Priority: 3] {ICMP}
[Link] -> [Link]

[Link] 118
Filebeat - Snort logs
To create correct GROK pattern, you have to use 'OR'
conditions:

• (?:%{IP:src_IP}|%{IP:src_ip}\:%{INT:src_port})\s+\-
\>\s+(?:%{IP:ipdst}|%{IP:ipdst}:%{INT:ipdport})

This pattern will automatically match IP address or IP

address followed by ':' and port number.

[Link] 119
Filebeat - Snort logs
Let's create new pattern for Snort logs.
Search for Snort events in Graylog:
• filebeat_tags:snort

[Link] 120
Filebeat - Snort logs
Click on any Snort event and scroll down to 'message'
part

[Link] 121
Filebeat - Snort logs
At the end of 'message' field click on arrow button and
pick 'Create extractor' on the popup

[Link] 122
Filebeat - Snort logs
From extractor type drop-down, select 'Grok pattern'
and then click 'Submit'

[Link] 123
Filebeat - Snort logs
Select 'Named captures only' and enter GROK pattern.
Be sure to remove new lines in Grok pattern.

[Link] 124
Filebeat - Snort logs
GROK pattern for parsing Snort logs will be following:

• %{MONTHNUM:month}\/%{MONTHDAY:day}-
%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:seco
nd}\s+\[\*\*\]\s+\[%{INT:ids_gid}\:%{INT:ids_sid}\:
%{INT:ids_rev}\]\s+%{DATA:ids_proto}\s+\[\*\*\]\s
+\[Classification:\s+%{DATA:ids_classification}\]\s+
\[Priority:\s+%{INT:priority}\]\s+\{%{WORD:ids_pr
oto2}\}\s+(?:%{IP:src_IP}|%{IP:src_ip}\:%{INT:src_p
ort})\s+\-
\>\s+(?:%{IP:ipdst}|%{IP:ipdst}:%{INT:ipdport})
[Link] 125
Filebeat - Snort logs
Before saving the extractor, it's a good idea to test
current GROK pattern. Click on 'Try against example'.
If no errors show, you can proceed with saving
extractor.

[Link] 126
Filebeat - Snort logs
Set extractor title and click 'Create extractor'

[Link] 127
Filebeat - Snort logs
In some complex GROK extractors you can add
additional keyword/pattern, which trigger current
extractor.
Set desired keyword and hit 'Try'. If you see message
'Matches', then you GROK extractor will have
conditional trigger

[Link] 128