[
https://issues.apache.org/jira/browse/METRON-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15960718#comment-15960718
]
ASF GitHub Bot commented on METRON-832:
---------------------------------------
GitHub user simonellistonball opened a pull request:
https://github.com/apache/incubator-metron/pull/519
METRON-832 Fixed CEF parser for Palo Alto FITW
## Contributor Comments
This is a minor fix to the pattern based on some data found in the wild.
## Pull Request Checklist
Thank you for submitting a contribution to Apache Metron (Incubating).
Please refer to our [Development
Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235)
for the complete guide to follow for contributions.
Please refer also to our [Build Verification
Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview)
for complete smoke testing guides.
In order to streamline the review of the contribution we ask you follow
these guidelines and ask you to double check the following:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? If not one needs to
be created at [Metron
Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [x] Does your PR title start with METRON-XXXX where XXXX is the JIRA
number you are trying to resolve? Pay particular attention to the hyphen "-"
character.
- [x] Has your PR been rebased against the latest commit within the target
branch (typically master)?
### For code changes:
- [x] Have you included steps to reproduce the behavior or problem that is
being changed or addressed?
- [x] Have you included steps or a guide to how the change may be verified
and tested manually?
- [x] Have you ensured that the full suite of tests and checks have been
executed in the root incubating-metron folder via:
```
mvn -q clean integration-test install && build_utils/verify_licenses.sh
```
- [x] Have you written or updated unit tests and or integration tests to
verify your changes?
- [x] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [x] Have you verified the basic functionality of the build by building
and running locally with Vagrant full-dev environment or the equivalent?
### For documentation related changes:
- [x] Have you ensured that format looks appropriate for the output in
which it is rendered by building and verifying the site-book? If not then run
the following commands and the verify changes via
`site-book/target/site/index.html`:
```
cd site-book
bin/generate-md.sh
mvn site:site
```
#### Note:
Please ensure that once the PR is submitted, you check travis-ci for build
issues and submit an update to your PR as soon as possible.
It is also recommened that [travis-ci](https://travis-ci.org) is set up for
your personal repository such that your branches are built there before
submitting a pull request.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/simonellistonball/incubator-metron METRON-832
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-metron/pull/519.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #519
----
commit 3d87488cc3de21675008d156d51addc8274d82ae
Author: Simon Elliston Ball <[email protected]>
Date: 2017-04-07T12:33:41Z
Added test for Palo data found in the wild
commit 616318b5ab2472bd7779402a55a89893f27bf63a
Author: Simon Elliston Ball <[email protected]>
Date: 2017-04-07T12:34:08Z
Fixed matching pattern to handle Palo data and match syslog RFC
----
> CEFParser does not handle un-compliant format found in the wild
> ---------------------------------------------------------------
>
> Key: METRON-832
> URL: https://issues.apache.org/jira/browse/METRON-832
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.3.1
> Reporter: Simon Elliston Ball
>
> The CEF Parser does not currently match CEF files produced by certain Palo
> Alto network devices as found in the wild.
> Sample message:
> <14>Apr 7 10:10:10 hostname CEF: 0|Palo Alto
> Networks|PAN-OS|6.1.3|url|THREAT|1|rt=Apr 07 2017 00:10:10 GMT
> deviceExternalId=00000000 src=10.10.10.10 dst=20.20.20.20
> sourceTranslatedAddress=0.0.0.0 destinationTranslatedAddress=0.0.0.0
> cs1Label=Rule cs1=Trusted-to-Untrusted suser= duser= app=ssl cs3Label=Virtual
> Sys cs3=vsys2 cs4Label=Src Zone cs4=Trusted cs5Label=Dst Zone cs5=Untrusted
> deviceInboundInterface=ethernet1/12.345
> deviceOutboundInterface=ethernet1/12.345 cs6Label=LogProfile cs6=Log_Profile
> cn1Label=SessionID cn1=123456 cnt=1 spt=18371 dpt=443 sourceTranslatedPort=0
> destinationTranslatedPort=0 flexString1Label=Flags flexString1=0x8000
> proto=tcp act=alert request=\"www.example.com/\" cs2Label=URL Cat
> cs2=gambling flexString2Label=Direction flexString2=client-to-server
> externalId=123456789 requestContext= cat=(9999) filePath= fileId=0 fileHash=
> deviceProcessName=Device.Process.Name
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
