[
https://issues.apache.org/jira/browse/METRON-832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15962886#comment-15962886
]
Ali Nazemian commented on METRON-832:
-------------------------------------
In terms of Metron common message format, it provides "proto" instead of
"protocol" attribute.
> CEFParser does not handle un-compliant format found in the wild
> ---------------------------------------------------------------
>
> Key: METRON-832
> URL: https://issues.apache.org/jira/browse/METRON-832
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.3.1
> Reporter: Simon Elliston Ball
>
> The CEF Parser does not currently match CEF files produced by certain Palo
> Alto network devices as found in the wild.
> Sample message:
> <14>Apr 7 10:10:10 hostname CEF: 0|Palo Alto
> Networks|PAN-OS|6.1.3|url|THREAT|1|rt=Apr 07 2017 00:10:10 GMT
> deviceExternalId=00000000 src=10.10.10.10 dst=20.20.20.20
> sourceTranslatedAddress=0.0.0.0 destinationTranslatedAddress=0.0.0.0
> cs1Label=Rule cs1=Trusted-to-Untrusted suser= duser= app=ssl cs3Label=Virtual
> Sys cs3=vsys2 cs4Label=Src Zone cs4=Trusted cs5Label=Dst Zone cs5=Untrusted
> deviceInboundInterface=ethernet1/12.345
> deviceOutboundInterface=ethernet1/12.345 cs6Label=LogProfile cs6=Log_Profile
> cn1Label=SessionID cn1=123456 cnt=1 spt=18371 dpt=443 sourceTranslatedPort=0
> destinationTranslatedPort=0 flexString1Label=Flags flexString1=0x8000
> proto=tcp act=alert request=\"www.example.com/\" cs2Label=URL Cat
> cs2=gambling flexString2Label=Direction flexString2=client-to-server
> externalId=123456789 requestContext= cat=(9999) filePath= fileId=0 fileHash=
> deviceProcessName=Device.Process.Name
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
