Closed qclassified closed 4 years ago
all the snort
rules should be nested in the snort Object
The reason for this behavior:
Event("...", [Object("snort", "..."), Object("snort", "...")])
So the objects get nested but not the attributes
They should not nest, because separate objects of same type might have separate structure and meaning,
for example:
"x_misp_org" : [
{
"id" : [
"CthulhuSPRL.be"
],
"uuid" : [
"55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
],
"name" : [
"CthulhuSPRL.be"
]
},
{
"uuid" : [
"5ada62b4-d3fc-460a-b786-063a86c50716"
],
"id" : [
"UNR-Feeds"
],
"name" : [
"UNR-Feeds"
]
}
]
here the above data clearly highlights two separate organizations with corresponding name and org uuid. If we merged the data like following:
"x_misp_org" : [
{
"id" : [
"CthulhuSPRL.be",
"UNR-Feeds"
],
"uuid" : [
"55f6ea5f-fd34-43b8-ac1d-40cb950d210f",
"5ada62b4-d3fc-460a-b786-063a86c50716"
],
"name" : [
"CthulhuSPRL.be",
"UNR-Feeds"
]
},
],
We lose the structure and hence vital information like which org uuid belongs to which org etc.