Fixed issue solzimer#9 with CEF escaping

hanvyj · Sep 25, 2020 · 7d607b8 · 7d607b8
1 parent df76b01
commit 7d607b8
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 28 deletions.
diff --git a/cef.js b/cef.js
@@ -32,9 +32,8 @@ function splitHeaders(text) {
 					fields--;
 				}
 			}
-			else if(ch=="\\") {
-				curr += ch;
-				scape = !scape;
+			else if(ch=="\\" && !scape) {
+				scape = true;
 			}
 			else {
 				scape = false;
@@ -51,32 +50,50 @@ function splitHeaders(text) {
 }
 
 function splitFields(msg) {
-	let tokens = msg.split(" ");
-	let map = {};
+	var map = {};
+	var scape = false;
+	var key = "";
+	var nextKey = "";
+	var curr = "";
 
-	let token = null;
-	while(tokens.length) {
-		if(!token) {
-			token = tokens.shift();
-			if(token.indexOf('=')>=0) {
-				let kv = token.split("=");
-				token = kv[0];
-				map[token] = kv[1];
+	msg.split("").forEach(ch=>{
+		if(ch=="=") {
+			if(scape) {
+				// Escape this = and treat it like any other character
+				scape = false;
+				curr += ch;
+				nextKey += ch;
 			}
 			else {
-				map[token] = "";
+				// The equals isn't escaped, so add the previous key value to the map
+				if (key) {
+					map[key] = curr.slice(0, curr.length - nextKey.length - 1);
+				}
+				// Now prepare for the next key value
+				key = nextKey;
+				curr = "";
+				nextKey = "";
 			}
 		}
+		else if(ch=="\\" && !scape) {
+			// This is the escape character, so flag the next character to be escaped
+			scape = true;
+		}
+		else if(ch==" ") {
+			curr += ch;
+			// reset the next possible key as we've seen a space
+			nextKey = "";
+		}
 		else {
-			let val = tokens.shift();
-			if(val.indexOf('=')<0) {
-				map[token] += ` ${val}`;
-			}
-			else {
-				token = null;
-				tokens.unshift(val);
-			}
+			scape = false;
+			// add the character to the possible key and current value
+			curr += ch;
+			nextKey += ch;
 		}
+	});
+
+	if(key && curr) {
+		map[key] = curr;
 	}
 
 	return map;

diff --git a/test/examples.js b/test/examples.js
@@ -370,7 +370,7 @@ module.exports = [
     "deviceProduct": "threatmanager",
     "deviceVersion": "1.0",
     "deviceEventClassID": "100",
-    "name": "detected a \\| in message",
+    "name": "detected a | in message",
     "severity": "10",
     "extension": "src=10.0.0.1 act=blocked a | dst=1.1.1.1"
   },
@@ -382,13 +382,13 @@ module.exports = [
   "header": ""
 },
 {
-  "originalMessage": "Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\ in packet|10|src=10.0.0.1 act=blocked a \\ dst=1.1.1.1",
+  "originalMessage": "Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\\\ in packet|10|src=10.0.0.1 act=blocked a \\\\ dst=1.1.1.1",
   "pri": "",
   "prival": null,
   "type": "CEF",
   "ts": "2019-09-19T06:26:10.000Z",
   "host": "host",
-  "message": "CEF:0|security|threatmanager|1.0|100|detected a \\ in packet|10|src=10.0.0.1 act=blocked a \\ dst=1.1.1.1",
+  "message": "CEF:0|security|threatmanager|1.0|100|detected a \\\\ in packet|10|src=10.0.0.1 act=blocked a \\\\ dst=1.1.1.1",
   "chain": [],
   "cef": {
     "version": "CEF:0",
@@ -398,7 +398,7 @@ module.exports = [
     "deviceEventClassID": "100",
     "name": "detected a \\ in packet",
     "severity": "10",
-    "extension": "src=10.0.0.1 act=blocked a \\ dst=1.1.1.1"
+    "extension": "src=10.0.0.1 act=blocked a \\\\ dst=1.1.1.1"
   },
   "fields": {
     "src": "10.0.0.1",
@@ -428,8 +428,7 @@ module.exports = [
   },
   "fields": {
     "src": "10.0.0.1",
-    "act": "blocked a",
-    "\\": "",
+    "act": "blocked a =",
     "dst": "1.1.1.1"
   },
   "header": "Sep 19 08:26:10 host "