Simon Elliston Ball created METRON-832:
------------------------------------------
Summary: CEFParser does not handle un-compliant format found in
the wild
Key: METRON-832
URL: https://issues.apache.org/jira/browse/METRON-832
Project: Metron
Issue Type: Bug
Affects Versions: 0.3.1
Reporter: Simon Elliston Ball
The CEF Parser does not currently match CEF files produced by certain Palo Alto
network devices as found in the wild.
Sample message:
<14>Apr 7 10:10:10 hostname CEF: 0|Palo Alto
Networks|PAN-OS|6.1.3|url|THREAT|1|rt=Apr 07 2017 00:10:10 GMT
deviceExternalId=00000000 src=10.10.10.10 dst=20.20.20.20
sourceTranslatedAddress=0.0.0.0 destinationTranslatedAddress=0.0.0.0
cs1Label=Rule cs1=Trusted-to-Untrusted suser= duser= app=ssl cs3Label=Virtual
Sys cs3=vsys2 cs4Label=Src Zone cs4=Trusted cs5Label=Dst Zone cs5=Untrusted
deviceInboundInterface=ethernet1/12.345
deviceOutboundInterface=ethernet1/12.345 cs6Label=LogProfile cs6=Log_Profile
cn1Label=SessionID cn1=123456 cnt=1 spt=18371 dpt=443 sourceTranslatedPort=0
destinationTranslatedPort=0 flexString1Label=Flags flexString1=0x8000 proto=tcp
act=alert request=\"www.example.com/\" cs2Label=URL Cat cs2=gambling
flexString2Label=Direction flexString2=client-to-server externalId=123456789
requestContext= cat=(9999) filePath= fileId=0 fileHash=
deviceProcessName=Device.Process.Name
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
