[GitHub] incubator-metron issue #579: METRON-941 fix PaloAltoParser
Github user ctramnitz commented on the issue: https://github.com/apache/incubator-metron/pull/579 I agree to both of your points, defining it with the final name from the beginning would be more efficient and we should come up with a more normalized and standardized field naming convention in general. However, the second part is something for all parsers, not just this one, so it's a little bit out of scope for this PR. In fact, this PR doesn't change the concept of the previous code, it just makes the "intermediate" field names more consistent by following the vendor documentation. My suggestion would be to either merge this PR as-is or with one-time-definition of already defined Metron field names. To follow-up on the other topic we create a new Jira to define a normalized message format for all parsers (and enrichments), with subtasks to adapt each of the parsers (including this one). --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] incubator-metron issue #579: METRON-941 fix PaloAltoParser
Github user simonellistonball commented on the issue: https://github.com/apache/incubator-metron/pull/579 Yes, that makes sense, but does have some performance implications of course. A single mapping would have much faster response, so I would question the original approach (on which you are quite correct). I'm sure others will chime in if there are benefits to the re-write the name approach that I'm missing. Right now we only formally define a small number of the fields - ip_(src|dest)_(addr|port) etc to have the metron format, but I would argue things like nat_source_addr in this parser should follow the spirit of the convention. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] incubator-metron issue #579: METRON-941 fix PaloAltoParser
Github user ctramnitz commented on the issue:
https://github.com/apache/incubator-metron/pull/579
Do you have any examples? The previous concept was to use arbitrary (at
least I couldn't find any reference) field names (i.e. source_address or
destination_address) and then further down these were renamed to "standard"
Metron style (i.e. outputMessage.put("ip_src_addr",
outputMessage.remove("source_address"));). I started to use the "official"
field names (as per vendor documentation), but I still rename the defined field
names to Metron style... did I miss any?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-metron issue #579: METRON-941 fix PaloAltoParser
Github user simonellistonball commented on the issue: https://github.com/apache/incubator-metron/pull/579 A number of the field name changes seem to depart from Metron conventions. Is there a reason to change these from matching the metron ip_src_addr style pattern? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
