-
-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Zeek writer work with all data types #1205
Conversation
@tenzir/backend This is the CI failure: --- /home/runner/work/vast/vast/integration/reference/node-suricata-alert/step_03.ref
510
+++ vast-integration-test/node-suricata-alert/step_03.out
511
@@ -1,7 +1,7 @@
512
-#close 2020-11-26-15-24-33
513
+#close 2020-11-26-15-42-56
514
#empty_field (empty)
515
#fields timestamp flow_id pcap_cnt vlan in_iface src_ip src_port dest_ip dest_port proto event_type community_id alert.app_proto alert.action alert.gid alert.signature_id alert.rev alert.signature alert.category alert.severity alert.source.ip alert.source.port alert.target.ip alert.target.port flow.pkts_toserver flow.pkts_toclient flow.bytes_toserver flow.bytes_toclient flow.start flow.end flow.age flow.state flow.reason flow.alerted payload payload_printable stream packet packet_info.linktype
516
-#open 2020-11-26-15-24-33
517
+#open 2020-11-26-15-42-56
518
#path alert
519
#separator
520
#set_separator , The problem is obvious: The |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
📔 Description
This PR lifts the restriction of the Zeek writer to only dump Zeek events. There is no conceptual limitation, but VAST had an assertition that prevented rendering other data than Zeek.
📝 Checklist
🎯 Review Instructions
Commit-by-commit.