-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for JSON containing multiple events #2545
base: develop
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you have an example feed at hand (so we can extract an example for the tests, add it to the docs)? To my knowledge no documented feed is using such a format.
|
||
def process(self): | ||
report = self.receive_message() | ||
if self.splitlines: | ||
if self.multiple_events: | ||
lines = [json.dumps(event) for event in json.loads(base64_decode(report['raw']))] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Converting the data forth and back appears to be inefficient.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, could imagine this. Any tips to do this a proper way?
Currently this PR is running in our production and works just fine, but I agree on the double JSON conversion isn't the most efficient way to do this.
Our National Cyber Security Centre (NCSC) is sending us "IntelMQ JSON's" in a ZIP-file by mail. Here's an example (I tried to anonymise most values):
|
Currently the
intelmq.bots.parsers.json.parser
is only able to parse or single events in JSON, or multiple events in JSON, each on their own line.This PR contains an option to parse multiple events within a JSON, by adding the
multiple_events
(boolean) to the config.