Can I customize the email subject of SNORT alerts received via Syslog?

Article ID: 349
Category: Network Services
Applies to: 3.3 and later
Updated: 2018-11-07

Yes, by using the regular expression and subject override feature in event log filters the email subject can show select properties from Snort alerts.

A typical Snort alert will look similar to the one shown below:

syslog@firewall.yourcompany.local[auth/security.warning]: May 24 19:20:05 snort[47626]: 119:31:1 DOUBLE DECODING ATTACK [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 73.129.31.7 [x4d0c1f07.dyn.telefonic.de][Yodeltown, Utah, 32110, Pepper Lake Town]:51713 -> 151.101.46.2 [United States, California, 94107, San Francisco]:80

In the filter which matches incoming Snort alerts logged by the Syslog daemon, click the "Advanced" button and then the "Edit" button the "Insertion String Override" section to enter the following regular expression:

.*[.*\/.*].*snort\[.*\].*\((.*)\)\s(.*)\s\[(.*)\]\s\[(.*)\]\s\{(.*)\}\s([\d\.]*):(\d*)\s->\s([\d\.]*):(\d*).*

Which will parse the snort alert into the following insertion strings:

  1. $STR1: Inspector Module
  2. $STR2: Rule
  3. $STR3: Classification
  4. $STR4: Priority
  5. $STR5: Protocol
  6. $STR6: Source IP
  7. $STR7: Source Port
  8. $STR8: Destination IP
  9. $STR9: Destination Port

You can then customize the subject to show only select properties, e.g.

ES Snort Alert: $STR1 [$STR2][$STR3]

which will show an email subject like this

ES Snort Alert: http_inspect [DOUBLE DECODING ATTACK][Classification: Not Suspicious Traffic]