CEF parser doesn't handle extension field ending in an empty string

If a CEF message field has zero-length and is the last field in the message, the CEF parser fails to parse the message:

```
$ cat cef.rulebase
rule=:%cef:cef%

$ cat cef-msg 
CEF:0|My Vendor|My Product|My Version|blah|My Activity|1| field1=foo field2=bar field3=

$ < cef-msg lognormalizer -r cef.rulebase
{ "originalmsg": "CEF:0|My Vendor|My Product|My Version|blah|My Activity|1| field1=foo field2=bar field3=", "unparsed-data": "CEF:0|My Vendor|My Product|My Version|blah|My Activity|1| field1=foo field2=bar field3=" }
```

If I add a trailing space character to cef-msg (so that the `=` character is not the final character in `cef-msg`, the message parses OK:

```
$ < cef-msg lognormalizer -r cef.rulebase 
{ "cef": { "DeviceVendor": "My Vendor", "DeviceProduct": "My Product", "DeviceVersion": "My Version", "SignatureID": "blah", "Name": "My Activity", "Severity": "1", "Extensions": { "field1": "foo", "field2": "bar", "field3": " " } } }
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CEF parser doesn't handle extension field ending in an empty string #381

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CEF parser doesn't handle extension field ending in an empty string #381

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions