Skip to content

Feat/rework ddos vulnerable parsers#3130

Merged
sbylica-splunk merged 10 commits into
developfrom
feat/rework_ddos_vulnerable_parsers
Jul 10, 2026
Merged

Feat/rework ddos vulnerable parsers#3130
sbylica-splunk merged 10 commits into
developfrom
feat/rework_ddos_vulnerable_parsers

Conversation

@sbylica-splunk

@sbylica-splunk sbylica-splunk commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This should fix polynomial run time for both parsers, on top of that it turns out they were both actually kind of bugged.
Cef parser would look for '=' sigh to split key/value pairs, even if this sign was part of url passed as a string, now it should work properly.

EDIT: Sonarqube scan doesn't show the two issues mentioned after scanning this branch anymore.

renovate Bot and others added 3 commits July 2, 2026 14:30
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
The feature commit accidentally committed unresolved stash conflict markers
into parser_cef.py, making it invalid Python. Resolves to _parse_cef_ext().

Also fixes an O(n²) scan in _parse_cef_ext: when the key scanner reaches
end-of-string with no '=' remaining, the old code rewound to start+1 and
rescanned — degenerating to quadratic on '='-free input. Now breaks out of
the loop immediately.

Co-Authored-By: Claude <noreply@anthropic.com>
@sbylica-splunk sbylica-splunk force-pushed the feat/rework_ddos_vulnerable_parsers branch from dcdf117 to f9c7db0 Compare July 2, 2026 12:30
sbylica-splunk and others added 4 commits July 2, 2026 15:06
Replace the imperative _split_alert_text scanner with one non-backtracking
regex (`([^:;]+):\s*([^;]*)`) that extracts all "key: value" pairs directly,
mirroring the finditer idiom already used in parser_kvqf. Leading prose is
split off the first key with rfind, no greedy regex.

This also fixes a latent bug: the old `^(.*[.!?])?(.*:.*)` regex split the kv
body at the last '.' before a colon, so any value containing a '.' (e.g. an
FQDN like REDACTEDHOST.ABC.EFG.CORP) was split mid-value and the downstream
`split(": ")` raised ValueError, failing the whole event. Add that real-world
log as a test case and assert on an extracted AlertTextValues.* field.

Co-Authored-By: Claude <noreply@anthropic.com>
The CEF extension is a documented format (space-separated key=value pairs
with '\=' escaping in-value equals), so replace the ~60-line hand-rolled
scanner with a bounded, backtrack-free key regex plus positional value
slicing. This keeps the SonarQube S5852 fix while matching the finditer
idiom used in parser_kvqf.

Verified against real Imperva/ArcSight/Trellix logs and 100k spec-compliant
fuzz inputs (0 mismatches vs the original regex); pathological inputs run in
milliseconds. The one intentional behavior change is on spec-violating input:
a bare (unescaped) '=' inside a value no longer splits the value into a bogus
key, e.g. cs8=http://h/x?action=down is kept intact instead of yielding a
spurious "action" field.

Co-Authored-By: Claude <noreply@anthropic.com>
@sbylica-splunk sbylica-splunk marked this pull request as ready for review July 3, 2026 12:44
@sbylica-splunk sbylica-splunk merged commit fa1ba16 into develop Jul 10, 2026
23 checks passed
@sbylica-splunk sbylica-splunk deleted the feat/rework_ddos_vulnerable_parsers branch July 10, 2026 08:50
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 10, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants