Correct the CEF output - Githubissues

firnsy / barnyard2

Barnyard2 is a dedicated spooler for Snort's unified2 binary output format.

GNU General Public License v2.0

344 stars 189 forks source link

Correct the CEF output #234

Closed ddpbsd closed 1 week ago

ddpbsd commented 6 years ago

The | was missing between the version and the generator id. This causes arcsight to misread the fields.

redsand commented 5 years ago

I'm not sure the formatting needs to be changed, since many other systems are already normalizing this without the additional |. Is it possible for you to modify your arcsight signature, instead?

ddpbsd commented 5 years ago

Sorry @redsand , I don't understand what you mean. The way the output is currently presented makes ArcSight read the alerts incorrectly. I don't remember the details off hand, but without the | many of the fields contain the wrong data (all the fields are shifted I guess). At a glance, I think the Device Version would also include the SID information. I can try to dig up more information (and I apologize for not including that in the original PR) if necessary. What other products are using the CEF output?

redsand commented 5 years ago

Hawkdefense.com Hawk.io

I'm the author of the plugin.

On Tue, Oct 30, 2018, 7:05 AM Dan Parriott notifications@github.com wrote:

Sorry @redsand https://github.com/redsand , I don't understand what you mean. The way the output is currently presented makes ArcSight read the alerts incorrectly. I don't remember the details off hand, but without the | many of the fields contain the wrong data (all the fields are shifted I guess). At a glance, I think the Device Version would also include the SID information. I can try to dig up more information (and I apologize for not including that in the original PR) if necessary. What other products are using the CEF output?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/firnsy/barnyard2/pull/234#issuecomment-434274738, or mute the thread https://github.com/notifications/unsubscribe-auth/AAhV803ZYZBJMePQAFbLcnc8xSZ1Fck0ks5uqECIgaJpZM4SYUZH .

CyberTaoFlow commented 5 years ago

It seems their was not a missing pipe but instead the classification was not appended to the initial header even though it was defined.
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));

In my case I resolved this with the patch below:

-        if( SnortSnprintfAppend(cef_message, SYSLOG_BUF, "%lu:%lu:%lu|%s|%d|",
+        if( SnortSnprintfAppend(cef_message, SYSLOG_BUF, "%lu:%lu:%lu|%s|%s|%d|",
                           (unsigned long) ntohl(((Unified2EventCommon *)event)->generator_id),
                           (unsigned long) ntohl(((Unified2EventCommon *)event)->signature_id),
                           (unsigned long) ntohl(((Unified2EventCommon *)event)->signature_revision),
-                          sn == NULL ? "ALERT" : sn->msg, cef_severity) != SNORT_SNPRINTF_SUCCESS )
+                          sn == NULL ? "ALERT" : sn->msg, cn == NULL ? "CLASS" : cn->type, cef_severity) != SNORT_SNPRINTF_SUCCESS )