Numerous sensors log in different formats. The parser should normalize at least the following subset of fields to the following Metron JSON naming conventions:
| Description | Field Name | Field Value |
|---|---|---|
| Any field containing a source IP address | ip_src_addr | Octets (xxx.xxx.xxx.xxx) |
| Any field containing a destination IP address | ip_dst_addr | Octets (xxx.xxx.xxx.xxx) |
| Any field containing a source port | ip_src_port | Integer |
| Any field containing a destination port | ip_dst_port | Integer |
| Any field containing a protocol | protocol | String as a protocol, all caps. So if protocol = 6, value should be TCP |
| Timestamp | timestamp | Epoch timestamp (timestamp comes from sensor, not parser) |
| Message Type | source.type | yaf|snort|bro|etc... |
| Timestamp | start_time | Epoch timestamp |
| Timestamp | end_time | Epoch timestamp |