Skip to content

GROK GROK WHO'S THERE?

What is a GROK Anyway?

Grok is a way to match a line against a regular expression, map specific parts of the line into dedicated fields, and perform actions based on this mapping.


Getting Started with GROK

Take the example log message and slap it in grok debugger: https://grokdebugger.com/

GROK makes turning logs into fields a breeze. With the example log message we can grab the IPs and ports with a few strokes.


Example Log

160,,,1483581762,ixl0,match,pass,in,4,0x0,,128,52842,0,DF,6,tcp,52,99.100.101.102,45.131.194.52,52045,5219,0,S,176942184,,64240,,mss;nop;wscale;nop;nop;sackOK

In this example log, assume:

Source IP: 99.100.101.102

Destination IP: 45.131.194.52

Source Port: 52045

Destination Port 5219

There are so many patterns built-in. We are going to use %{IPv4} and %{INT} to grab the details of the source IP, Destination IP, Source Port and Destination Port:


Cool, Now What?

Now we make log magic. Create a pipeline rule to automatically parse incoming logs on the pfsense stream. Thankfully we've done some of the work for you. - Navigate to System -> Pipelines -> PFSense and edit the Parse - PFSense - IPs and Ports rule. - Update the rule with your GROK Pattern - HINT: The image kinda gives it away... - Send those logs in again from the Dataset tab!


GO SOLVE SOME CTF FLAGS!

8888888888888888888888888888888888888888888888888888888888888888888888@8888
88888888888888@8@888888888888888888888888@888@888@8888888888@88888888888888
8888888@888888888@8@8@8@88X8@8@8X8@8@8@@88@@@8X@@8X@@@@@@88@8X8X8@888888888
88888@88X888X8X888X8 88X%S88 8 8 8 8 8 8 8 8 8 88S8S8S8S8X8X8X88S8 8 8 8 8 
88@@8X8S8S8%X % 8@S88S  88X88 8S8X@X8@@ 88@8SS8 8S8 88888888888S8 8S8 888 8
88@8S8S8 8 @S88.88.888 88@ X88.;;@XXX8@@88888 888888888888:8S8 8S@8888%888 
@@XX8S88888X%88t888  @8@@88SS 8 8 XSXS8S888%8S 8 8888 88X88 8888888S888X88@
@@X88888888 88X8:XS8SS88@ @88%S8 X8;8.8:8.X8@S88888S888888888888 88888@SS8 
XX 8%8888 8XSt@S8S8X 8888:8X@8 %8%%St8.8 8;8t888888888888888888888888888888
S8S888888@88:8%8@tS@@8888X8:St. 88X8.8 tXS@t88 88888888888888888@888888888:
S 888X8 888 88@St@%: 888 Xt8:S;8:@8t8S8t8%t;88 8888888 8 888888888888888888
S8S88@%888 X8%:%8;8X88@ X8 t8:8S8;8t8tX8@@X888 8888888888888S8@88888@888888
S88@8S8888888 :8 8X.888tX%  :8%8@8X888% tSt%8X88888888 88888888S8 888888888
X8 8 888888888S  88SX8:8.8 8 XS%SS@;S@XS8888t8%88888888S@8888%88888888S8S88
@888888888 8S88S8 88%8:%8tXX8SS88XtS8888888888888888888888888@8888 888888@8
8S88888888888@ :8tS:88@:88.    @SX888 888888888@888%88@888@888@ 88X88888888
8888888888888888S8:%XtS888SX8888888 88 88888888888888888888888888@888888888
8888888888888888S;X@8S8888888 888 88 88888888888888888888888888888888888888
X88888@8@88@8@888t8XXS@888888888888888@8@8888888888888888888888@88888@8888 
S@88@8888X88SX@8t .;888@@8@8888888888888888888888@8888888888888888888888888
888888@888@@8@8@8888888888888888888888888888888888888888888888@8888888888@8
8S8888888888888888  8888@88@888@888888888888888888888888888888888888888888 
8888888888888888888@8888@8888888@888888888888888888888888888888888888888888
@888888888888888888S%888888888@88888@@888888@88888888@@88@88888@88@888888@8
@8888888888888888888888@@@888@@@8@88X88X@888@888@888X8X888888X8@8888@88@888
X88888888@8888@88X88%888X88XSX8888S88X88X8S88S8S88S88S8X8@X888X8X8X8@8X8@8@
S@88X88@88X8X88S88X8 XXS88%8S88S8%8%88S888%8%888%8%%88S8S8X8X888S88S8S88X88
X@8X8S88S88SSX88S88X8@ 8@%888%8t88t8%88%%8%8%8%8%8%8S8%SX88SSXS88XSX88X88X8
XX88X8S8S8S8X8%%X8S888X888%%8t8%8%%S%S%8%8%8%8%%8%8%%X8S8S8S88S8S8X8XS@8XX@
X@888X8SSX8SSS8S8%8S88;.@S88%SS%S8%8S8%%X8%SS8%SX8S8X8S8SSX8X8SX@SX8XXX88@8
@88@88X8X8S8X8SSX8S8X8:%;8S8S8S8S8S8SSX8SSX8SS@8SSX8SSX8X8XSXS@S8@8X@88@888
@888@88@@@X@8S8X8SX@88;t %88X8S8SXX8X8X8X8X8X8X8X8XX@X8XX88@8888@@888888888
@8888@@88@88X@@8XX88S88 X ;88X@@8@X@X8X@8X@88@@88@88@@8@8@888@8888888888888