Dev #345
Dev #345
Conversation
…ce separation between key/value instances
allows to set custom separator and assignator characters when both are defined, the parser will simply try to match assignator and separator in turn otherwise, legacy checks (key name validation, etc...) will occur
…ng to a JSON Object
Improve casting
…TING - new parameter 'separator': defines a custom character to look for between key/value pairs (replaces whitepsace when defined) - new parameter 'assignator': defines a custom character to look for between key and value (replaces '=' when defined, but DISABLES key name validation) - add support for (simple and double) quoting in values - add support for escaped characters in values
…lue is not valid - to allow parsing rest of line
As of today, Checkpoint logs do not necessarily provide a semicolon between the last key:value pair and the terminator. This causes the parse to fail with current behavior.
FIX CHECKPOINT-LEA: ';' NOT NEEDED AFTER LAST VALUE
- Empty value at the end of the line results in failure of the parsing - \/ in values results in failure of the parsing
- Expected outcome: When the last value is empty, the cursor should stop at the equal sign. - Problem encountered: When the last value is empty, the cursor increases (+2): i > npb->strlen - Fix: Initialized the length of the value to 0: lenValue = 0 If the cursor has not reached the end of the line, we parse the value. Otherwise, we know that our value is empty, its length is thus 0.
Current behavior: When extracting the headers, cefGetHdrField already skips the pipes. But just after, the cursor is incremented by one again (++i). This truncates the first later of the first variable name. Fix: Removed the increment of the cursor after the header's extraction.
Current behavior: The escaped slash is not translated to a simple slash. Expected behavior: Sashes should be replaced by a slash. This behavior matches how the escaped equal sign is replaced. Fix: Added a case to the switch which handles the escaped chars.
FIX CEF PARSER
Currently, the CEF parser fails for two reasons:
When it encounters an escaped slash ( \/ ) in the middle of a value
When the last value is empty
This is particularly problematic for us as we have a lot of data in this format to parse.
Behavior:
Log
CEF:0|nxlog.org|nxlog|2.7.1243|Executable Code was Detected|Advanced exploit detected|100|path=Some\/Path spt=46117 dst=172.25.212.204 dpt=
Rulebase
version=2
rule=%.:cef%
Expected behavior
{
"DeviceVendor": "nxlog.org",
"DeviceProduct": "nxlog",
"DeviceVersion": "2.7.1243",
"SignatureID": "Executable Code was Detected",
"Name": "Advanced exploit detected",
"Severity": "100",
"Extensions": {
"path": "Some/Path",
"spt": "46117",
"dst": "172.25.212.204",
"dpt": ""
}
}
Current behavior
{
"originalmsg": "CEF:0|nxlog.org|nxlog|2.7.1243|Executable Code was Detected|Advanced exploit detected|100|path=Some\\/Path spt=46117 dst=172.25.212.204 dpt=",
"unparsed-data": "CEF:0|nxlog.org|nxlog|2.7.1243|Executable Code was Detected|Advanced exploit detected|100|path=Some\\/Path spt=46117 dst=172.25.212.204 dpt="
}
|
@jjourdin I think it would make sense to squash the commits into a few as many of them look like in-the-process-local-fixes and clutter the commit history |
|
I will also need to check if CI has some defects - may very well be! In any case, thx for the PR! |
|
sry, accidentally set PR to draft - have reverted |
|
This PR concentrates 4 different features/bug fixes, that I opened in separate PRs (or were already open) :
I think it would be simpler for anyone to try and integrate each of these PRs instead of this monolithic one |
wouldn't it be possible to split them up in one commit per fix/feature? |
I think this PR is now obsolete in favor of the 4 others, I will check the squash in the oldest ones but I think every PR ought to be correctly squashed |
ah! sry, I hadn't notice all of them -- that of course makes sense. Feel free to close this one here whenever ready! |
|
mmmhhh - I only see two - am I lost? ;-) |
…te, separator, backslash)
### Fixed - [NAME-VALUE-LIST] Fix parsing of escaped caracters (double-quote, separator, backslash) ### Added - [NAME-VALUE-LIST] Add test for quoted values and escaped caracters
|
Job's done, thank you |
6 participants
No description provided.