CSV::MalformedCSVError: Missing or stray quote in line 1

parosio · November 8, 2023, 4:11pm

Hello,

I've read the previuos posts on this topic (and related), but still have problems with csv files containing windows command lines...

For example:

98792634295,https://falcon.eu-1.crowdstrike.com/activity/detections/detail/c8f40744186d43739a9b72f82e2aa106/98792634295?_cid=g05000k572ygsff5eixlh2sit7t5zyya,Execution,Oct 12 2023 16:30:02,1,User Execution,Document Access In A Detection Summary Event,10.130.205.24,HOST17243071,SYSTEM,NT AUTHORITY,c8f40744186d43739a9b72f82e2aa106,Oct 12 2023 16:30:03,1051354163730,306857,CymulateAgent.db-journal,\Device\HarddiskVolume4\ProgramData\Cymulate\Agent\Settings,"C:\Program Files\Cymulate\Agent\Executor\109.0\Cymulate.Agent.Executor.exe" "C:\Program Files\Cymulate\Agent\Executor\109.0\Routines_Sync_Agent_Smtp_Default.sargs",1

# offending field:
"C:\Program Files\Cymulate\Agent\Executor\109.0\Cymulate.Agent.Executor.exe" "C:\Program Files\Cymulate\Agent\Executor\109.0\Routines_Sync_Agent_Smtp_Default.sargs"

The "offending" field is the penultimate one (all the files open correctly in Excel).
The field is not quoted, as the " are part of the filenames, and it doesn't contain any field separator, but the csv plugin rejects it with :exception=>#<CSV::MalformedCSVError: Missing or stray quote in line 1>

I could "fix" this kind of problems replacing the boundary double-quotes

filter {
    . . .
    mutate { gsub => [ "message", '#', "!!-hash-!!" ] }
    mutate { gsub => [ "message", ',"""', ",#" ] }
    mutate { gsub => [ "message", ',""', ",#" ] }
    mutate { gsub => [ "message", ',"', ",#" ] }
    mutate { gsub => [ "message", '""",', "#," ] }
    mutate { gsub => [ "message", '"",', "#," ] }
    mutate { gsub => [ "message", '",', "#," ] }
    . . .
  csv {
    . . .
    quote_char => "#"
  }
   mutate { gsub => [ 
        "cs_command_line", "!!-hash-!!" , "#"
   ] }

But this breaks for lines like the following:

9031384190,https://falcon.eu-1.crowdstrike.com/activity/detections/detail/47f5a52e7bd04162816398ba2ac3a684/9031384190?_cid=g05000k572ygsff5eixlh2sit7t5zyya,Execution,Nov 04 2023 01:52:53,1,User Execution,Document Access In A Detection Summary Event,10.130.205.24,HOST17243071HOST17243071$,AD00,47f5a52e7bd04162816398ba2ac3a684,Nov 04 2023 01:52:31,14646872541,336010,0KUU3Z.txt,\Device\HarddiskVolume4\ProgramData\Cymulate\Agent\AttacksLogs\EDR\654509cef2b7e88fc91b0712\Encryption_backup\0802dba406b93673f59fe3404ac18f97,"""rundll32"" ""C:\Program Files\Cymulate\EDR_Attacks\654509cef2b7e88fc91b0712\799abfc2e733561733a1e7b1c51a6036_RUNDLL32_nativeransomwarefixedkeywinaesoverwrite.dll"",rundll32EntryPoint",1

# the "offending field" being 
"""rundll32"" ""C:\Program Files\Cymulate\EDR_Attacks\654509cef2b7e88fc91b0712\799abfc2e733561733a1e7b1c51a6036_RUNDLL32_nativeransomwarefixedkeywinaesoverwrite.dll"",rundll32EntryPoint"

and in this case the error becomes:
:exception=>#<CSV::MalformedCSVError: Illegal quoting in line 1.>

Any suggestion?

Regards,
Paolo

PS (logstash 7.17)

parosio · November 23, 2023, 11:05am

Solved using dissect + grok:

dissect { mapping => {
  "message" => "%{field_1},%{field_2},   . . . %{skip_etc_field}"
} }
if  [skip_etc_field] {
  grok { 
    match => { "skip_etc_field" => "%{GREEDYDATA:cs_command_line},%{NUMBER:counter}" }
  }
}

system · December 21, 2023, 11:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.