Closed EmileDqy closed 3 years ago
This is particularly problematic for us as we have a lot of data in this format to parse.
CEF:0|nxlog.org|nxlog|2.7.1243|Executable Code was Detected|Advanced exploit detected|100|path=Some\/Path spt=46117 dst=172.25.212.204 dpt=
version=2 rule=%.:cef%
{ "DeviceVendor": "nxlog.org", "DeviceProduct": "nxlog", "DeviceVersion": "2.7.1243", "SignatureID": "Executable Code was Detected", "Name": "Advanced exploit detected", "Severity": "100", "Extensions": { "path": "Some/Path", "spt": "46117", "dst": "172.25.212.204", "dpt": "" } }
{ "originalmsg": "CEF:0|nxlog.org|nxlog|2.7.1243|Executable Code was Detected|Advanced exploit detected|100|path=Some\\/Path spt=46117 dst=172.25.212.204 dpt=", "unparsed-data": "CEF:0|nxlog.org|nxlog|2.7.1243|Executable Code was Detected|Advanced exploit detected|100|path=Some\\/Path spt=46117 dst=172.25.212.204 dpt=" }
With this fix, the CEF parser is now more flexible than before when it comes to the trailing spaces after the headers (it ignores them). I had to change the tests that were dealing with this behavior.
Currently, the CEF parser fails for two reasons:
This is particularly problematic for us as we have a lot of data in this format to parse.
Behavior:
Tests
With this fix, the CEF parser is now more flexible than before when it comes to the trailing spaces after the headers (it ignores them). I had to change the tests that were dealing with this behavior.