Skip to content

Latest commit

 

History

History
280 lines (258 loc) · 8.21 KB

README.md

File metadata and controls

280 lines (258 loc) · 8.21 KB

vue-cef-viewer

Parse a raw Common Event Format (CEF) log message and show it in a tabular view using Vue.js.

Performs the following validations:

  • User-defined extension name format
  • String length
  • Integer value range
  • Long value range
  • MAC Address format
  • IPv4 and IPv6 format

Try it online at https://klasen.github.io/vue-cef-viewer/.

Sample

Field Value Comment
Input
Raw
Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|Detected a =\\\||10|src=10.0.0.1 shost=10.0.0.1 msg=Detected a \=\\|.\n No action needed dmac=00-0D-60-AF-1B-61 cs2=WIFI cs2Label=SSID art=1 threatAttackID=T1132
CEF Header
Version
0
DeviceVendor
security
DeviceProduct
threatmanager
DeviceVersion
1.0
SignatureID
100
Name
Detected a =\|
Severity
10
CEF Extensions
art
1
  • agentReceiptTime
  • Time Stamp
  • The time at which information about the event was received by the ArcSight connector.
  • Consumer extension from CEF specification 0.1
  • 1970-01-01T00:00:00.001Z
cs2
WIFI
  • deviceCustomString2
  • Producer extension from CEF specification 0.1
  • String[4000]
  • One of the six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
cs2Label
SSID
  • deviceCustomString2Label
  • Producer extension from CEF specification 0.1
  • String[1023]
  • All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
dmac
00-0D-60-AF-1B-61
  • deviceMacAddress
  • Producer extension from CEF specification 0.1
  • MAC Address
  • Six colon-separated hexadecimal numbers. Example: “00:0D:60:AF:1B:61”
  • Invalid format
msg
Detected a =\|.
 No action needed
  • message
  • Producer extension from CEF specification 0.1
  • String[1023]
  • An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator.
shost
10.0.0.1
  • sourceHostName
  • Producer extension from CEF specification 0.1
  • String[1023]
  • Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (DQDN) associated with the source node, when a mode is available. Examples:  “host” or “host.domain.com”.
src
10.0.0.1
  • sourceAddress
  • Producer extension from CEF specification 0.1
  • IPv4 Address
  • Identifies the source that an event refers to in an IP network. The format is an IPv4 address. Example: “192.168.10.1”.
threatAttackID
T1132
  • Threat Attack ID
  • String[32]
  • A full ID of a threat or attack as defined in the security framework in frameworkName.
  • Consumer extension from CEF specification 1.2
CEF Extensions by Label
SSID
WIFI

Project setup

npm install

Scrape CEF meta-data

Scrape CEF implementation standard and save producer and consumer extension dictionaries as JSON and CSV.

node ./docs/scrape.js > ./docs/fixes.txt

Compare CEF Implementation Standard and Flexconn Devguide

Generate a html side by side comparison of the CSV files for both documents using diff2html-cli.

On the spec-vs-devguide branch:

  1. Scrape metadata
  2. Commit /docs/*.csv
  3. Copy docs/extensions-dictionary-flexconn_devguide-for-comparison.csv to docs/extensions-dictionary-for-comparison.csv
  4. Create diff
node ./docs/scrape.js > ./docs/fixes.txt
git commit -m "Update scraped metadata" docs/*.html docs/*.csv docs/fixes.txt src/components/extension-dictionary.json
cp ./docs/extension-dictionary-flexconn_devguide-for-comparison.csv ./docs/extension-dictionary-for-comparison.csv
diff2html --style side --title "CEF Implementation Standard vs. Flexconn Devguide" --matchWordsThreshold 0.1 --fileContentToggle false --file docs/cef-implementation-standard_vs_flexconn-devguide.html

Compiles and hot-reloads for development

npm run dev

Compiles and minifies for production

npm run build

Deploy to production

# initial
git subtree push --prefix dist origin gh-pages
# on updates
npm run deploy