Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

packages/sophos/xg: fix kv split and handle syslog headers #2320

Merged
merged 2 commits into from
Jan 5, 2022
Merged

packages/sophos/xg: fix kv split and handle syslog headers #2320

merged 2 commits into from
Jan 5, 2022

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Dec 8, 2021

What does this PR do?

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

How to test this PR locally

Standard package testing.

Related issues

Screenshots

N/A

@efd6 efd6 added bug Something isn't working, use only for issues Team:Security-External Integrations 8.1-candidate labels Dec 8, 2021
@efd6 efd6 requested a review from P1llus December 8, 2021 05:07
@elasticmachine
Copy link

elasticmachine commented Dec 8, 2021
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-12-16T05:43:34.000+0000

  • Duration: 23 min 43 sec

  • Commit: 243bab4

Test stats 🧪

Test Results
Failed 0
Passed 14
Skipped 0
Total 14

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@efd6 efd6 marked this pull request as ready for review December 8, 2021 06:10
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

efd6
efd6 commented Dec 16, 2021
View reviewed changes
Copy link
Contributor Author

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The failing cases need a quote-aware split processor to pass.

packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json
Comment on lines -8599 to +8603
"cookie": "; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*",
"cookie": ";",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This failure is a fundamental inability for the KV processor to understand paired delimiters (quotes in this case) that make characters opaque.

packages/sophos/data_stream/xg/_dev/test/pipeline/test-sophos-xg.log-expected.json
Comment on lines -8717 to +8726
"extra": "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header",
"extra": "Inbound Anomaly Score Exceeded (Total Score: 7,",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

@efd6 efd6 merged commit 685e9b4 into elastic:master Jan 5, 2022
@efd6 efd6 mentioned this pull request Feb 23, 2022
Closed
eyalkraft pushed a commit to build-security/integrations that referenced this pull request Mar 30, 2022
@efd6
packages/sophos/xg: fix kv split and handle syslog headers (elastic#2320
90e2b80 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

@P1llus P1llus Awaiting requested review from P1llus

Assignees

@adriansr adriansr

Labels
8.1-candidate bug Something isn't working, use only for issues Integration:sophos Sophos
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@efd6 @elasticmachine @adriansr @andrewkroh