Bamfax
commented
1 year ago How is the replacement currently handled with v2.3.1? Are the newline sequences still replaced?
Closed Bamfax closed 1 year ago
Bamfax
commented
1 year ago How is the replacement currently handled with v2.3.1? Are the newline sequences still replaced?
LetMeR00t
commented
1 year ago Hi Thank you for submitting your issue No change so far on that. I have to check why we put those replacements at the time, I don’t remember if it’s just a matter of data visibility in the tool or any other reason
Bamfax
commented
1 year ago Hi, thank a lot for checking. I had looked but could not find the former replace() line in v2.3.1 right away. Actually the question should be "how could I get a backslash across into an alert description (thinking of e.g. filepathes, "domain\account", ...).". If there is some other way to prepare the description text correctly already in splunk‚ like double escaping oder encoding backslashes, please let me know.
Bamfax
commented
1 year ago I took another look at it. With v2.3.1 (and Hive5 now) the behavior indeed changed and it looks just fine as it is right now: \r and \n are now not replaced anymore. This prevents that those get accidently replaced in e.g. filepathes.
The following code gives the result as below.
| eval _time = now()
| streamstats count as id
| eval case_template = "test"
| eval alert_title = "test_case_06"
| eval desc =
"01: c:\path\regedit.exe
02: c:\\path\\regedit.exe
03: c:\\\path\\\regedit.exe
04: fore \\ aft
05: fore \\\\ aft
06: fore \r aft
07: fore \\r aft
08: fore \\\r aft
09: fore \\\\r aft
10: give me a new \n line
11: give me a \r return
|fld1|fld2|fld3|fld4|fld5|fld6|fld7|fld8|
|-|-|-|-|-|-|-|-|
|val1|val2|val3|val4|val5 \r\n \r \n \\n <br/> \\ vasvasav|val6|val7|val8|
"
| eval uniqueid = md5(tostring(random()))
| table case_template, _time, alert_title, obs_*, desc, id, uniqueid
| sendalert thehive_create_a_new_alert param.thehive_instance_id="123" param.alert_mode="es_mode" param.unique_id_field="" param.case_template="$result.case_template$" param.type="alert" param.source="splunk_test" param.timestamp_field="" param.title="$result.alert_title$" param.description="$result.desc$" param.tags="tag1,tag2" param.scope=1 param.severity=2 param.tlp=2 param.pap=2
Thats is quite nice and workable for now. Thanks for updating and this new behavior. As a series of two and more backslashes gets compacted into a single backslash, it would also be nice to get "usual escaping" on that in the future. But to transport most text, it is good as it its like that.
Request Type
Bug
Work Environment
Problem Description
the modalert |sendalert is replacing linebreak sequences \r \n in such a fashion that it is difficult to get these characters across unmodified. Desired would be an implementation that allows to get these sequence across, allowing to represent them in an alert in TheHive as they appeared originally, specifically here within the alert description field.
Seems to be line 279 in master/TA-thehive-cortex/bin/ta_thehive_cortex/modalert_thehive_create_a_new_alert_helper.py
alert_args["description"] = helper.get_param("description").replace("\\n","\n").replace("\\r","\r") if helper.get_param("description") else "No description provided"Steps to Reproduce
Possible Solutions
Could potentially be solved by removing the replacing completely or by introducing a different escaping.