CEF parsing issue on first extension key name #331
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CEF format does not require a space between the last header field separator and the first key name of the extensions, eg: CEF:0|a|b|c|d|e|f|field1=value1 field2=value2 The cefGetHdrField() function already eats the ending separator '|' after an header field. The ++i increment was loosing the first character of the first extension key name.
This test fails because of commit "cef: fix parsing of the first extension key name". I could not find a spec to confirm that a single trailing space in extension field is a valid CEF format. I tend to think this should rightfully be invalid.
julthomas
force-pushed
the
dev/jth/cef-first-extension-name
branch
from
041e5f9 to
cbb5653
Compare
|
Closing as it is fixed in commit 6e6a50b "FIX CEF PARSER:" by Emile Duquennoy and it has been merged in master. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Rainer,
Could you please consider merging this PR ? All CEF logs I've seen so far do not have a space before the first extension key. Also I could not find a spec stating that their MUST be a space between the last '|' from the header part and the first extension key name, though leading spaces are okay.
Sample log :
CEF:0|FORCEPOINT|Firewall|1.2.3|1234|FW_Related-Connection|0|in=0 out=52 app=TCP/12345 rt=Jan 30 2020 04:47:01 deviceFacility=Packet Filtering act=Allow deviceInboundInterface=0,0 proto=6 dpt=12345 spt=12 dst=1.2.3.4 src=4.3.2.1 dvchost=9.8.7.6 dvc=9.8.7.6 deviceExternalId=FW-ACME node 1 cs1Label=RuleID cs1=2100123.1 cs2Label=NatRuleId cs2=8123.3
This patch break a test, although I reckon this test case should be invalid.
Regards,
Julien