How to Parse Snort IDS Logs in Graylog

Here is the rule that i used in the video:

rule “Extract Snort alert fields”
when
has_field(“message”)
then
let m = regex(“\(\d+):(\d+):(\d+)\ \[Classification: (.+?)\] \[Priority: (\d+)]: \<(.+?)\> \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?”, to_string($message.message));

set_field(“snort_alert”, true);

set_field(“generator_id”, m[“0”]);
set_field(“signature_id”, m[“1”]);
set_field(“signature_revision_id”, m[“2”]);

set_field(“description”, m[“3”]);
set_field(“classification”, m[“4”]);
set_field(“priority”, to_long(m[“5”]));
set_field(“protocol”, m[“7”]);

set_field(“src_addr”, m[“8”]);
set_field(“src_port”, to_long(m[“10”]));

set_field(“dst_addr”, m[“11”]);
set_field(“dst_port”, to_long(m[“13”]));
end “