[BUG] Some generated alerts are not correctly JSON-formatted #216
Description
Describe the bug
Sometimes, alerts are generated with fields containing non-escaped quotes, invalidating json formatting.
This behaviour has been observed with the Hostlookup filter, but is not limited to this one.
Plateform (please complete the following information):
- OS (version): Vulture4 (HBSD 12.2)
- Darwin version: 1.3.1
To Reproduce
Steps to reproduce the behavior:
- Setup a database for a Hostlookup filter, with a result containing escaped quotes (for example
"these \\"are\\" quotes") - Start the Hostlookup filter
- trigger an alert by sending the corresponding index for the value with quotes
- Look at the alert generated: it should contain the quotes unescaped
Expected behavior
Quotes in fields (at least in alerts) should be safely quoted to avoid breaking JSON formatting
Screenshots/logs
example of generated alert with broken formatting (description field) :
{"alert_type": "darwin", "alert_subtype": "hostlookup", "alert_time": "2021-02-02T18:44:42Z", "level": "high", "rule_name": "Lookup: public-domain", "tags": [], "entry": "suspicious-domain.org", "score": 100, "evt_id": "8ac22379-994c-462b-9370-1ef6e6bc18d3", "details": {"feed_name": "public-domain", "description": "[ "drop_hosts" ]"}}
Additional context
need to use std::quoted() in all fields with potential quotes