You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/10/06 18:16:20 UTC
[jira] [Commented] (METRON-488) Snort should use a proper CSV
implementation
[ https://issues.apache.org/jira/browse/METRON-488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15552710#comment-15552710 ]
ASF GitHub Bot commented on METRON-488:
---------------------------------------
GitHub user cestella opened a pull request:
https://github.com/apache/incubator-metron/pull/297
METRON-488: Snort should use a proper CSV implementation
Right now if you have a custom snort rule (e.g. alert tcp any any -> any any (msg:'snort alert message having a ,(comma) to check csv parsing'; sid:999158; ) ) the snort parser will fail to parse because it's splitting on the comma naively.
It should use the existing CSV parsing infrastructure that we have and that is used in the CSVParser.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/cestella/incubator-metron snort_delim_bug
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-metron/pull/297.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #297
----
commit f0a57334d0d80e298e5ea25f1b114ae0d6db4b11
Author: cstella <ce...@gmail.com>
Date: 2016-10-06T18:14:46Z
Updating the snort parser to use the CSVExtractor infrastructure, which is a thin layer on top of OpenCSV
----
> Snort should use a proper CSV implementation
> --------------------------------------------
>
> Key: METRON-488
> URL: https://issues.apache.org/jira/browse/METRON-488
> Project: Metron
> Issue Type: Bug
> Reporter: Casey Stella
> Assignee: Casey Stella
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Right now if you have a custom snort rule (e.g. alert tcp any any -> any any (msg:'snort alert message having a ,(comma) to check csv parsing'; sid:999158; ) ) the snort parser will fail to parse because it's splitting on the comma naively.
> It should use the existing CSV parsing infrastructure that we have and that is used in the CSVParser.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)