Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CEF parser can't parse values enclosed in quotes with unescaped = #641

Open
DevMet1 opened this issue Feb 12, 2025 · 1 comment
Open

CEF parser can't parse values enclosed in quotes with unescaped = #641

DevMet1 opened this issue Feb 12, 2025 · 1 comment

Comments

@DevMet1
Copy link

DevMet1 commented Feb 12, 2025

I had Cisco Firepower extension part of CEF that looked similar to this.

act=qew app=qwe bytesin=11 bytesout=11 request="http://test.com:443/test/server_ping.php?ip=127.0.0.1\|cat%20/etc/passwd>../../2e.txt&id=1"

They enclosed value in quotes instead of escaping "=" symbols.

I would propose to use this regex ([^=\s]+)=((?:[\\]=|[^="])+|"[^"]+")(?:\s|$)
there

jc/jc/parsers/cef.py

Line 218 in ee3b873

spl = re.findall(r'([^=\s]+)=((?:[\\]=|[^=])+)(?:\s|$)', extension)

And trim possible quotes in normalization
item[key] = value.strip(string.whitespace+'"')

jc/jc/parsers/cef.py

Line 354 in ee3b873

item[key] = value.strip()

Obviously I can miss some edge cases with this regex so feel free to correct me :)
@kellyjonbrazil
Copy link
Owner

Hi, thanks for reporting this! I'm wondering if this will only work for the last quote enclosed value? Will this work if there are multiple quote enclosed values or if the value is in between other values?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kellyjonbrazil @DevMet1