Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Zeek writer work with all data types #1205

Merged
merged 9 commits into from
Dec 8, 2020
Merged

Make Zeek writer work with all data types #1205

merged 9 commits into from
Dec 8, 2020

Conversation

mavam
Copy link
Member

@mavam mavam commented Nov 26, 2020
edited
Loading

📔 Description

This PR lifts the restriction of the Zeek writer to only dump Zeek events. There is no conceptual limitation, but VAST had an assertition that prevented rendering other data than Zeek.

📝 Checklist

  • All user-facing changes have changelog entries.
  • The changes are reflected on docs.tenzir.com/vast, if necessary.
  • The PR description contains instructions for the reviewer, if necessary.

🎯 Review Instructions

Commit-by-commit.

@mavam mavam changed the title Make Zeek writer work with all data types ### 📔 Description Make Zeek writer work with all data types Nov 26, 2020
@mavam mavam added the bug Incorrect behavior label Nov 26, 2020
@mavam
Copy link
Member Author

mavam commented Nov 26, 2020
edited
Loading

@tenzir/backend This is the CI failure:

--- /home/runner/work/vast/vast/integration/reference/node-suricata-alert/step_03.ref
510
+++ vast-integration-test/node-suricata-alert/step_03.out
511
@@ -1,7 +1,7 @@
512
-#close	2020-11-26-15-24-33
513
+#close	2020-11-26-15-42-56
514
 #empty_field	(empty)
515
 #fields	timestamp	flow_id	pcap_cnt	vlan	in_iface	src_ip	src_port	dest_ip	dest_port	proto	event_type	community_id	alert.app_proto	alert.action	alert.gid	alert.signature_id	alert.rev	alert.signature	alert.category	alert.severity	alert.source.ip	alert.source.port	alert.target.ip	alert.target.port	flow.pkts_toserver	flow.pkts_toclient	flow.bytes_toserver	flow.bytes_toclient	flow.start	flow.end	flow.age	flow.state	flow.reason	flow.alerted	payload	payload_printable	stream	packet	packet_info.linktype
516
-#open	2020-11-26-15-24-33
517
+#open	2020-11-26-15-42-56
518
 #path	alert
519
 #separator 	
520
 #set_separator	,

The problem is obvious: The #open and #close comments are not deterministic. Should we add a flag to the Zeek export to omit them? They are optional, after all. I was thinking of something along the lines of vast export zeek --no-meta-timestamps.

lava
lava approved these changes Nov 27, 2020
View reviewed changes
Copy link
Member

@lava lava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

libvast/src/system/spawn_sink.cpp Outdated Show resolved Hide resolved
libvast/vast/format/zeek.hpp Show resolved Hide resolved
lava
lava reviewed Nov 27, 2020
View reviewed changes
libvast/src/format/zeek.cpp Outdated Show resolved Hide resolved
@mavam mavam requested a review from lava December 7, 2020 17:04
@mavam mavam merged commit e403b66 into master Dec 8, 2020
@mavam mavam deleted the story/ch20667 branch December 8, 2020 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dominiklohmann dominiklohmann Awaiting requested review from dominiklohmann

@lava lava Awaiting requested review from lava

Assignees
No one assigned
Labels
bug Incorrect behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mavam @lava