Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mandiant threat intel source doesn't get split correctly when using JSON zeek log format #494

Closed
mmguero opened this issue Nov 14, 2024 · 0 comments
Closed

Mandiant threat intel source doesn't get split correctly when using JSON zeek log format #494

mmguero opened this issue Nov 14, 2024 · 0 comments
Assignees
@mmguero
Labels
bug Something isn't working logstash Relating to Malcolm's use of Logstash zeek Relating to Malcolm's use of Zeek
Milestone
v24.12.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Nov 14, 2024

I found this in testing the release of v24.11.0, but I decided it was small enough to not warrant pushing the release as it's being waited on by some partners for some other things.

Here's the repro:

  1. set ZEEK_JSON to true in ./config/zeek.env
  2. configure Zeek intelligence to pull from a Mandiant feed
  3. generate traffic that would generate intel.log entries
  4. look at the sources field and you'll see something like Mandiant|https://whatever...

I think the issue is the split on the | in the intel.log parsing code probably doesn't work on an array, which is what sources already is. We need to rewrite it in ruby probably, to split the individual entries whether they're in an array already or not.
@mmguero mmguero added bug Something isn't working logstash Relating to Malcolm's use of Logstash zeek Relating to Malcolm's use of Zeek labels Nov 14, 2024
@mmguero mmguero added this to the v24.12.0 milestone Nov 14, 2024
@mmguero mmguero added this to Malcolm Nov 14, 2024
@mmguero mmguero moved this to In Progress in Malcolm Nov 14, 2024
@mmguero mmguero moved this from In Progress to Todo (develop) in Malcolm Nov 14, 2024
@mmguero mmguero self-assigned this Dec 3, 2024
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Dec 12, 2024
@mmguero
cisagov#494, Mandiant threat intel source doesn't get split correctly…
18c4535 
… when using JSON zeek log format
@mmguero mmguero closed this as completed Dec 12, 2024
@github-project-automation github-project-automation bot moved this from Todo (develop) to Done in Malcolm Dec 12, 2024
This was referenced Dec 18, 2024
Merged
Merged
@mmguero mmguero moved this from Done to Released in Malcolm Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
bug Something isn't working logstash Relating to Malcolm's use of Logstash zeek Relating to Malcolm's use of Zeek
Projects
Malcolm
Status: Released
Milestone
v24.12.0
Development

No branches or pull requests
1 participant
@mmguero