ynadji
commented
2 years ago Totally agree with you @dwdixon and the minor headaches you mentioned are largely why I haven't changed to fields to more sensible names yet. I'm definitely a bit disappointed in past @ynadji but he was tired at the time I think ;). I'm glad the package has been useful for you! I'll ask around in the Zeek Slack to see if there's an idiomatic way to do this so we can have better names while minimizing problems for other folks.
This is probably not a huge deal, however, I just wanted to comment that the field names
target_hostandtarget_portin the log4j.log at first blush seem a bit misleading/confusing, but maybe I'm just being a bit pedantic? : ) My thoughts are essentially that these fields would perhaps be more aptly named something likepayload_host/payload_portorcallback_host/callback_port? Using the termtarget_is a bit misleading in that the target is IMHO more intuitively the systems on our local networks being targeted for exploitation rather than the attacker callback/payload host and port serving up the next stage of the exploit chain which is what thelog4j.logis parsing out and tracking as far as I understand it.I'm not sure if it's maybe slightly counterproductive to change these field names now as it may cause some minor headaches for people already using the fields with SIEM queries but it might be worth it in the long run...anyhow...something to consider, thanks for the amazing work on this package, the recent enhancements are really awesome and super valuable! If this isn't worthwhile feel free to close this out, you won't hurt my feelings : )