Project

General

Profile

Actions

Bug #3927

closed

Alert "fileinfo" array conflicts with "fileinfo" event type

Added by Jeff Lucovsky about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
Label:

Description

Legacy reporting/mining from eve.json using just "fileinfo" can run into issues since there are now multiple fileinfo objects:
1. Fileinfo object (event type fileinfo) containing a single entry
2. Fileinfo object (event type alert) containing a fileinfo array.

Usages like "cat eve.json | jq -c 'select(.fileinfo)|.fileinfo.filename’" must change to "cat eve.json|jq -c 'select(.event_type=="fileinfo").fileinfo.filename'"

To retain support for existing users, the fileinfo object in the alert will be renamed to "files".

Actions #1

Updated by Jeff Lucovsky about 2 years ago

  • Status changed from Assigned to In Review
Actions #2

Updated by Victor Julien almost 2 years ago

  • Status changed from In Review to Closed
  • Affected Versions 6.0.0rc1, git master added
Actions

Also available in: Atom PDF