appscope icon indicating copy to clipboard operation
appscope copied to clipboard

Published 20 hours ago verified publisher icon criblio

[Bug]: Sending payloads with cribl/event transport type - inconsistency with channel type

Open michalbiesek opened this issue 1 year ago • 0 comments

Steps To Reproduce

This is example payload received from event transportation type:

{"type":"payload","id":"michalbiesek-host-host -v -t a cribl.io","pid":181832,"ppid":66772,"fd":9,"src":"nettx","_channel":20401133743160,"len":26,"localip":"0.0.0.0","localp":0,"remoteip":"127.0.0.53","remotep":53,"protocol":"DNS-detection","_time":1690201303.836}
�tcriblio

See that channel type above is int

While in case of other events we use a string type

{"type":"evt","id":"michalbiesek-host-host -v -t a cribl.io","_channel":"20401134899264","body":{"sourcetype":"dns","_time":1690201303.836175,"source":"dns.req","host":"michalbiesek","proc":"host","cmd":"host -v -t a cribl.io","pid":181832,"data":{"domain":"cribl.io"}}}

https://github.com/criblio/appscope/blob/0be47b20700f0bd03ca66380641036e3d66abc06/src/ctl.c#L509-L512

Environment

- AppScope: 1.4.0
- OS: Linux
- Architecture: both 
- Kernel: -

The above can results with unexpected behavior on the other side while interpreting the data

michalbiesek avatar Jul 24 '23 12:07 michalbiesek