You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To Reproduce
Setup pipeline to parse extensions field using key_value_parser
Expected behavior
That the key values will be parsed without error.
Environment:
N/A
1.2.7
Error
{
"level":"error",
"timestamp":"2021-09-21T22:24:16.709-0400",
"message":"Failed to process entry",
"operator_id":"$.cef.extensions_parser",
"operator_type":"key_value_parser",
"error":"16 errors occurred:\n\t* expected '(Windows' to split by '=' into two items, got 1\n\t* expected 'NT' to split by '=' into two items, got 1\n\t* expected '6.1;' to split by '=' into two items, got 1\n\t* expected 'WOW64;' to split by '=' into two items, got 1\n\t* expected 'rv:40.0)' to split by '=' into two items, got 1\n\t* expected 'Gecko/20100101' to split by '=' into two items, got 1\n\t* expected 'Firefox/40.0' to split by '=' into two items, got 1\n\t* expected 'Support' to split by '=' into two items, got 1\n\t* expected 'Support' to split by '=' into two items, got 1\n\t* expected 'Support' to split by '=' into two items, got 1\n\t* expected 'qstr=p\\=%2fetc%2fpasswd' to split by '=' into two items, got 3\n\t* expected 'Malicious' to split by '=' into two items, got 1\n\t* expected 'User,High' to split by '=' into two items, got 1\n\t* expected 'Risk' to split by '=' into two items, got 1\n\t* expected 'Resources,' to split by '=' into two items, got 1\n\t* expected 'name' to split by '=' into two items, got 1\n\n",
"action":"send",
"entry":{
"timestamp":"2021-09-21T22:24:16.709042-04:00",
"severity":0,
"labels":{
"device":"SIEMintegration",
"file_name":"cef_parser.log",
"log_type":"cef",
"plugin_id":"common_event_format",
"version":"0"
},
"record":{
"device_vendor":"Incapsula",
"device_version":"1",
"extensions":" fileid=3412341160002518171 sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support src=12.12.12.12 caIP=[13.13.13.13] ccode=[IL] tag=www.elvis.com cn1=200 in=54 xff=44.44.44.44 cs1=NOT_SUPPORTED cs1Label=Cap Support cs4=c2e72124-0e8a-4dd8-b13b-3da246af3ab2 cs4Label=VID cs5=de3c633ac428e0678f3aac20cf7f239431e54cbb8a17e8302f53653923305e1835a9cd871db32aa4fc7b8a9463366cc4 cs5Label=clappsigdproc cs6=Firefox cs6Label=clapp ccode=[IL] cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 start=1453290121336 request=site123.abcd.info/ requestmethod=GET qstr=p\\=%2fetc%2fpasswd app=HTTP act=REQ_CHALLENGE_CAPTCHA deviceExternalID=33411452762204224 filetype=30037,1001, filepermission=2,1, cs9=Block Malicious User,High Risk Resources, cs9Label=Rule name",
"message":"Illegal Resource Access",
"severity":"9",
"signature_id":"1"
}
}
}
The text was updated successfully, but these errors were encountered:
Describe the bug
When using the key_value_parser the following example will fail.
{ "extensions":" fileid=3412341160002518171 sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support src=12.12.12.12 caIP=[13.13.13.13] ccode=[IL] tag=www.elvis.com cn1=200 in=54 xff=44.44.44.44 cs1=NOT_SUPPORTED cs1Label=Cap Support cs4=c2e72124-0e8a-4dd8-b13b-3da246af3ab2 cs4Label=VID cs5=de3c633ac428e0678f3aac20cf7f239431e54cbb8a17e8302f53653923305e1835a9cd871db32aa4fc7b8a9463366cc4 cs5Label=clappsigdproc cs6=Firefox cs6Label=clapp ccode=[IL] cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 start=1453290121336 request=site123.abcd.info/ requestmethod=GET qstr=p\\=%2fetc%2fpasswd app=HTTP act=REQ_CHALLENGE_CAPTCHA deviceExternalID=33411452762204224 filetype=30037,1001, filepermission=2,1, cs9=Block Malicious User,High Risk Resources, cs9Label=Rule name" }To Reproduce
Setup pipeline to parse extensions field using key_value_parser
Expected behavior
That the key values will be parsed without error.
Environment:
Error
{ "level":"error", "timestamp":"2021-09-21T22:24:16.709-0400", "message":"Failed to process entry", "operator_id":"$.cef.extensions_parser", "operator_type":"key_value_parser", "error":"16 errors occurred:\n\t* expected '(Windows' to split by '=' into two items, got 1\n\t* expected 'NT' to split by '=' into two items, got 1\n\t* expected '6.1;' to split by '=' into two items, got 1\n\t* expected 'WOW64;' to split by '=' into two items, got 1\n\t* expected 'rv:40.0)' to split by '=' into two items, got 1\n\t* expected 'Gecko/20100101' to split by '=' into two items, got 1\n\t* expected 'Firefox/40.0' to split by '=' into two items, got 1\n\t* expected 'Support' to split by '=' into two items, got 1\n\t* expected 'Support' to split by '=' into two items, got 1\n\t* expected 'Support' to split by '=' into two items, got 1\n\t* expected 'qstr=p\\=%2fetc%2fpasswd' to split by '=' into two items, got 3\n\t* expected 'Malicious' to split by '=' into two items, got 1\n\t* expected 'User,High' to split by '=' into two items, got 1\n\t* expected 'Risk' to split by '=' into two items, got 1\n\t* expected 'Resources,' to split by '=' into two items, got 1\n\t* expected 'name' to split by '=' into two items, got 1\n\n", "action":"send", "entry":{ "timestamp":"2021-09-21T22:24:16.709042-04:00", "severity":0, "labels":{ "device":"SIEMintegration", "file_name":"cef_parser.log", "log_type":"cef", "plugin_id":"common_event_format", "version":"0" }, "record":{ "device_vendor":"Incapsula", "device_version":"1", "extensions":" fileid=3412341160002518171 sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support src=12.12.12.12 caIP=[13.13.13.13] ccode=[IL] tag=www.elvis.com cn1=200 in=54 xff=44.44.44.44 cs1=NOT_SUPPORTED cs1Label=Cap Support cs4=c2e72124-0e8a-4dd8-b13b-3da246af3ab2 cs4Label=VID cs5=de3c633ac428e0678f3aac20cf7f239431e54cbb8a17e8302f53653923305e1835a9cd871db32aa4fc7b8a9463366cc4 cs5Label=clappsigdproc cs6=Firefox cs6Label=clapp ccode=[IL] cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 start=1453290121336 request=site123.abcd.info/ requestmethod=GET qstr=p\\=%2fetc%2fpasswd app=HTTP act=REQ_CHALLENGE_CAPTCHA deviceExternalID=33411452762204224 filetype=30037,1001, filepermission=2,1, cs9=Block Malicious User,High Risk Resources, cs9Label=Rule name", "message":"Illegal Resource Access", "severity":"9", "signature_id":"1" } } }The text was updated successfully, but these errors were encountered: