CEF parser can't parse values enclosed in quotes with unescaped =

[DevMet1]

I had Cisco Firepower extension part of CEF that looked similar to this.

act=qew app=qwe bytesin=11 bytesout=11 request="http://test.com:443/test/server_ping.php?ip=127.0.0.1\|cat%20/etc/passwd>../../2e.txt&id=1"

They enclosed value in quotes instead of escaping "=" symbols.

I would propose to use this regex ([^=\s]+)=((?:[\\]=|[^="])+|"[^"]+")(?:\s|$)
there

jc/jc/parsers/cef.py

Line 218 in ee3b873

spl = re.findall(r'([^=\s]+)=((?:[\\]=|[^=])+)(?:\s|$)', extension)

And trim possible quotes in normalization
item[key] = value.strip(string.whitespace+'"')

jc/jc/parsers/cef.py

Line 354 in ee3b873

item[key] = value.strip()

Obviously I can miss some edge cases with this regex so feel free to correct me :)

[kellyjonbrazil]

Hi, thanks for reporting this! I'm wondering if this will only work for the last quote enclosed value? Will this work if there are multiple quote enclosed values or if the value is in between other values?

[DevMet1]

Sorry, missed the message. You probably already tested it, but it should work fine.

[kellyjonbrazil]

Looks good, thanks! I'll get this in the next release.