snort | Snort in a Docker Container | Continuous Deployment library

Hi everyone I have Grafana v 7.5.7 and I'm trying to extract some content from my data.

In this case, my goal is to take the message from snort alert. I created an event. original as my own variable to collect data from elastic search and now I can see my logs.

Details from Variables Settings

any regex wizards able to help?

I'm trying to get the regex to parse the Suricata fast log. So far I found a old post that kind of works here but would like to get all the data out of the log.

So far I can get the time, date, source ip, source port, destination ip and destination port but would like to also get the alert title, classification and priority.

Log file:

On using

nl /etc/snort/etc/snort.conf | grep output

i get the result,

Let's say I have these classes in JavaScript, and I'm trying to convert them to TypeScript:

I've read a few of the articles on Span (and ReadOnlySpan) and how they musn't be used in async methods.

There was a great Chanel 9 video by Jared Parsons where he showed the following example:

I am trying to separate the IP and Port on the last part of the line but there are other colons present in the line so I have to use regex to identify the IPv4 format, then isolate the matched pattern to IP: then replace the colon with a comma keeping the IP part of the pattern unchanged. I know I have to use capture groups, but it appears its not doing anything?

Input Data:

SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder [Classification: Executable Code was Detected] [Priority: 1] {TCP} 192.168.202.50:60322 -> 192.168.22.252:445

1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) Which ip is the attacker?

2)Data on SYN packet [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.199.58:63000 -> 192.168.28.100:60000

1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) in which part of the snort architecture this alert came from?

3)SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - udp port 407 [Classification: Misc activity] [Priority: 3] {UDP} 192.168.199.58:59173 -> 192.168.22.201:407 1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) who is host and who is victim?

4) snort: [1:3815:6] SMTP eXchange POP3 mail server overflow attempt [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.199.58:60327 -> 192.168.21.151:25 1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) who is host and who is attacker?

I have done a ton of searchers but could not understand or find any details information about those signature. please help

so I want to get a little into Linux scripting and started by a simple example in a book. In this book, the author wants me to grab the five lines before "Step #6: Configure output plugins" from snort.conf.

Analogous to the author I determined where the line is that I want, which returns 445 for me. If I then use tail the result returns more text than I expect and the searched line that should be in line 5 is at line 88. I fail to understand how I use the tail command and start at the specific line but then more text is included.

To search for the line I used

I am currently trying to configure the Snort rules to detect SMTP, HTTP and DNS traffic. Is this setup correctly?