nsyslog-parser CEF escaping is not consistent or implemented on extension fields

CEF escaping is not consistent or implemented on extension fields

Open hanvyj opened this issue 4 years ago • 1 comments

There escaping doesn't seem consistent with [the CEF standard].(https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/78000/KB78712/en_US/CEF_White_Paper_20100722.pdf)

For example, there's no | character escaping in the prefix fields. There's also no '=' escaping in the extension fields. The following:

CEF:0|security|threatmanager|1.0|100|detected a = in message|10|src=10.0.0.1 act=blocked a \\= dst=1.1.1.1

produces the fields:

  "fields": {
    "src": "10.0.0.1",
    "act": "blocked a",
    "\\": "",
    "dst": "1.1.1.1"
  },

When it should, I think, produce:

  "fields": {
    "src": "10.0.0.1",
    "act": "blocked a \\",
    "dst": "1.1.1.1"
  },

Sep 25 '20 17:09 hanvyj

nsyslog-parser nsyslog-parser copied to clipboard

CEF escaping is not consistent or implemented on extension fields

nsyslog-parser
nsyslog-parser copied to clipboard