Skip to content

CEF escaping is not consistent or implemented on extension fields #9

New issue
New issue
Open
Open
CEF escaping is not consistent or implemented on extension fields#9
@hanvyj

Description

@hanvyj
hanvyj
opened on Sep 25, 2020

There escaping doesn't seem consistent with [the CEF standard].(https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/78000/KB78712/en_US/CEF_White_Paper_20100722.pdf)

For example, there's no | character escaping in the prefix fields. There's also no '=' escaping in the extension fields. The following:

CEF:0|security|threatmanager|1.0|100|detected a = in message|10|src=10.0.0.1 act=blocked a \\= dst=1.1.1.1

produces the fields:

  "fields": {
    "src": "10.0.0.1",
    "act": "blocked a",
    "\\": "",
    "dst": "1.1.1.1"
  },

When it should, I think, produce:

  "fields": {
    "src": "10.0.0.1",
    "act": "blocked a \\",
    "dst": "1.1.1.1"
  },

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions