Splunk is breaking ids single event into two events, such as:
4/11/16
2:42:46.152 PM
04/11-14:42:46.152985 00:05:00:00:00:00 -> 00:00:00:05:00:01 type:0x800 len:0x222
10.20.30.40:59406 -> 106.120.151.145:80 TCP TTL:52 TOS:0x0 ID:53190 IpLen:20 DgmLen:532 DF
***A**** Seq: 0xBA0195C4 Ack: 0xBB15F92D Win: 0x3E00 TcpLen: 20
[Xref => http://doc.emergingthreats.net/2008500]
host = ISMeta2 source = /var/log/snort/snort.log
4/11/16
2:42:46.000 PM
[**] [1:2008500:6] ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup) [**]
[Classification: A Network Trojan was Detected] [Priority: 1]
host = ISMeta2 source = /var/log/snort/snort.log
Which appears in snort.log as this one event:
[**] [1:2008500:6] ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup) [**]
[Classification: A Network Trojan was Detected] [Priority: 1]
04/11-14:42:46.152985 00:05:00:00:00:00 -> 00:00:00:05:00:01 type:0x800 len:0x222
10.20.30.40:59406 -> 106.120.151.145:80 TCP TTL:52 TOS:0x0 ID:53190 IpLen:20 DgmLen:532 DF
***A**** Seq: 0xBA0195C4 Ack: 0xBB15F92D Win: 0x3E00 TcpLen: 20
[Xref => http://doc.emergingthreats.net/2008500]
All events start with `[**]` I have props.conf configured as follows where snort_alert_full is sourcetype, but that doesn't fix my issue
[snort_alert_full]
BREAK_ONLY_BEFORE = [**]
Thanks in advance
↧