Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
I found this in testing the release of v24.11.0, but I decided it was small enough to not warrant pushing the release as it's being waited on by some partners for some other things.
Here's the repro:
set ZEEK_JSON to true in ./config/zeek.env
configure Zeek intelligence to pull from a Mandiant feed
generate traffic that would generate intel.log entries
look at the sources field and you'll see something like Mandiant|https://whatever...
I think the issue is the split on the | in the intel.log parsing code probably doesn't work on an array, which is what sources already is. We need to rewrite it in ruby probably, to split the individual entries whether they're in an array already or not.
I found this in testing the release of v24.11.0, but I decided it was small enough to not warrant pushing the release as it's being waited on by some partners for some other things.
Here's the repro:
ZEEK_JSONtotruein./config/zeek.envMandiant|https://whatever...I think the issue is the
spliton the|in the intel.log parsing code probably doesn't work on an array, which is whatsourcesalready is. We need to rewrite it in ruby probably, to split the individual entries whether they're in an array already or not.