CEF escaping is not consistent or implemented on extension fields #9

hanvyj · 2020-09-25T17:21:07Z

For example, there's no | character escaping in the prefix fields. There's also no '=' escaping in the extension fields. The following:

CEF:0|security|threatmanager|1.0|100|detected a = in message|10|src=10.0.0.1 act=blocked a \\= dst=1.1.1.1

produces the fields:

  "fields": {
    "src": "10.0.0.1",
    "act": "blocked a",
    "\\": "",
    "dst": "1.1.1.1"
  },

When it should, I think, produce:

  "fields": {
    "src": "10.0.0.1",
    "act": "blocked a \\",
    "dst": "1.1.1.1"
  },

The text was updated successfully, but these errors were encountered:

solzimer · 2024-09-22T10:30:27Z

Hi @hanvyj sorry for being soooo late reviewing this. Let me take a look and i will merge the changes. Thanks a lot!

hanvyj pushed a commit to hanvyj/nsyslog-parser that referenced this issue Sep 25, 2020

Fixed issue solzimer#9 with CEF escaping

7d607b8

hanvyj mentioned this issue Sep 25, 2020

Fixes issues with escaping characters in CEF parsing #10

Open

hanvyj closed this as completed Sep 9, 2024

hanvyj reopened this Sep 9, 2024

Provide feedback