jonahseeabear
commented
6 months ago Migrated to Wazuh main repo.
Closed jonahseeabear closed 6 months ago
jonahseeabear
commented
6 months ago Migrated to Wazuh main repo.
Hi all!
I noticed some inconsistencies in normalization for decoding "protocol" from logs, especially with networking logs.
The majority of decoders associate "protocol" with the literal "protocol" field. Other decoders (specifically fortigate, sonicwall, and others) decode the protocol into the "proto" field.
For normalization, is it appropriate to modify the decoder fields for consistency among other decoders?
I have applied this change to a local decoder and verified the field is corrected.
Github filter search for "proto": Proto Search
Github filter search for "protocol": Protocol Search