I am new to splunk and have been trying to set up my first transforms but I am having some issues. I was hoping to get some help.
Here is the scenario:
Given this data:
Time: 05/09-16:32:33.470574 event_ref: 0 22.1.11.254 -> 17.96.40.171 (portscan) TCP Portsweep Priority Count: 3 Connection Count: 9 IP Count: 12 Scanned IP Range: 17.158.28.47:204.0.4.104 Port/Proto Count: 9 Port/Proto Range: 80:12350
And this transforms.conf
[snortPSVarious] REGEX=(?m)(d+.d+.d+.d+)(s+)(->s+)(d+.d+.d+.d+s+)(.*R) FORMAT=snortps_src_ip::$1 snortps_dir::$3 snortps_dst_ip::$4 snortps_type::$5
Problem: No matter what I try the snortps_type won't return "(portscan) TCP Portsweep". It actually matches (in Splunk) the rest of the string. Oddly enough, when I test this SAME regex at:
I would attach a screen shot but apparently I don't have enough "karma". ;)
Any thoughts out there?
Best, -Roberto