Merge branch 'master' of github.com:kamushadenes/cefevent

kamushadenes · Nov 3, 2023 · c85e51d · c85e51d
2 parents 950e79d + f7635c5
commit c85e51d
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 27 deletions.
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -8,10 +8,10 @@ jobs:
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Setup Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         with:
           python-version: "3.x"
 

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -9,10 +9,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         with:
           python-version: '3.x'
 

diff --git a/cefevent/event.py b/cefevent/event.py
@@ -48,8 +48,20 @@ def load(self, headers: List[AnyStr], fields: List[Any]):
     def _validate_field_value(self, field: AnyStr, value: Any):
         obj = self._reverse_extension_dictionary[field]
 
+        # Handle special case of ports
+        if obj["full_name"].endswith("Port"):
+            try:
+                value = int(value)
+            except:
+                return False
+            if not 0 <= value <= 65535:
+                return False
+            return value
+
         for dt in obj["data_type"]:
             if dt in ["Integer", "Long"]:
+                if dt == "Integer" and value > 2**31-1:
+                    continue
                 try:
                     return int(value)
                 except:

diff --git a/cefevent/extensions.py b/cefevent/extensions.py
@@ -158,7 +158,7 @@
     "cs1": {
         "full_name": "deviceCustomString1",
         "data_type": ["String"],
-        "length": 1023,
+        "length": 4000,
         "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.",
     },
     "cs1Label": {
@@ -170,7 +170,7 @@
     "cs2": {
         "full_name": "deviceCustomString2",
         "data_type": ["String"],
-        "length": 1023,
+        "length": 4000,
         "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.",
     },
     "cs2Label": {
@@ -182,7 +182,7 @@
     "cs3": {
         "full_name": "deviceCustomString3",
         "data_type": ["String"],
-        "length": 1023,
+        "length": 4000,
         "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.",
     },
     "cs3Label": {
@@ -194,7 +194,7 @@
     "cs4": {
         "full_name": "deviceCustomString4",
         "data_type": ["String"],
-        "length": 1023,
+        "length": 4000,
         "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.",
     },
     "cs4Label": {
@@ -206,7 +206,7 @@
     "cs5": {
         "full_name": "deviceCustomString5",
         "data_type": ["String"],
-        "length": 1023,
+        "length": 4000,
         "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.",
     },
     "cs5Label": {
@@ -218,7 +218,7 @@
     "cs6": {
         "full_name": "deviceCustomString6",
         "data_type": ["String"],
-        "length": 1023,
+        "length": 4000,
         "description": "There are six strings available which can be used to map fields which do not fit into any other field of this dictionary. If possible, these fields should not be used, but a more specific field from the dictionary. Also check the guidelines later in this document for hints about utilizing these fields.",
     },
     "cs6Label": {
@@ -308,7 +308,7 @@
     "deviceInboundInterface": {
         "full_name": "deviceInboundInterface",
         "data_type": ["String"],
-        "length": 15,
+        "length": 128,
         "description": "Interface on which the packet or data entered the device.",
     },
     "deviceMacAddress": {
@@ -326,7 +326,7 @@
     "deviceOutboundInterface": {
         "full_name": "deviceOutboundInterface",
         "data_type": ["String"],
-        "length": 15,
+        "length": 128,
         "description": "Interface on which the packet or data left the device.",
     },
     "deviceProcessName": {
@@ -347,12 +347,6 @@
         "length": 1023,
         "description": 'Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name associated with the destination node, when a node is available. Examples: "host.domain.com" or "host".',
     },
-    "dhost": {
-        "full_name": "DestinationHostName",
-        "data_type": ["String"],
-        "length": 1023,
-        "description": 'Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name associated with the "destination node, when a node is available. Examples: "host.domain.com" or "host".',
-    },
     "dmac": {
         "full_name": "destinationMac",
         "data_type": ["MAC Address"],
@@ -395,6 +389,12 @@
         "length": 0,
         "description": 'Identifies destination that the event refers to in an IP network. The format is an IPv4 address. Example: "192.168.10.1"',
     },
+    "dtz": {
+        "full_name": "deviceTimeZone",
+        "data_type": ["String"],
+        "length": 255,
+        "description": 'The timezone for the device generating the event.',
+    },
     "duid": {
         "full_name": "destinationUserId",
         "data_type": ["String"],
@@ -479,37 +479,37 @@
         "length": 1023,
         "description": "Type of file (pipe, socket, etc.)",
     },
-    "fd1": {
+    "flexDate1": {
         "full_name": "flexDate1",
         "data_type": ["TimeStamp"],
         "length": 0,
         "description": "A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.",
     },
-    "fd1Label": {
+    "flexDate1Label": {
         "full_name": "flexDate1Label",
         "data_type": ["String"],
         "length": 128,
         "description": "The label field is a string and describes the purpose of the flex field.",
     },
-    "fs1": {
+    "flexString1": {
         "full_name": "flexString1",
         "data_type": ["String"],
         "length": 1023,
         "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.",
     },
-    "fs1Label": {
+    "flexString1Label": {
         "full_name": "flexString1Label",
         "data_type": ["String"],
         "length": 128,
         "description": "The label field is a string and describes the purpose of the flex field.",
     },
-    "fs2": {
+    "flexString2": {
         "full_name": "flexString2",
         "data_type": ["String"],
         "length": 1023,
         "description": "One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.",
     },
-    "fs2Label": {
+    "flexString2Label": {
         "full_name": "flexString2Label",
         "data_type": ["String"],
         "length": 128,

diff --git a/setup.py b/setup.py
@@ -8,13 +8,13 @@
 setup(
     name="cefevent",
     packages=["cefevent"],
-    version="0.5.4",
+    version="0.5.6",
     description="ArcSight Common Event Format library",
     long_description=long_description,
     long_description_content_type="text/markdown",
-    author="Kamus Hadenes",
+    author="Henrique Goncalves",
     author_email="kamus@hadenes.io",
     url="https://github.com/kamushadenes/cefevent",
-    download_url="https://github.com/kamushadenes/cefevent/tarball/0.5.4",
+    download_url="https://github.com/kamushadenes/cefevent/tarball/0.5.6",
     keywords=["logging", "cef", "arcsight", "event", "security"],
 )