Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix error in ssd decoder when username is one or more blank spaces #720

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

sergiospa
Copy link
Contributor

@sergiospa sergiospa commented Jul 6, 2020

Hi team,

This PR aims to fix an error of the sshd decoder. When srcuser is one or more blank spaces, it is not extracted from the log. srcip is not extracted as well.

The change I made has been tested under the following usernames:

  • test.
  • test2test.
  • ' ' - one blank space.
  • ' ' - 5 blank spaces (Github won't let me show them correctly)

The results have been good. All fields are extracted:

       log: 'Invalid user test from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: 'test'
       srcip: '11.0.0.27'
       srcport: '55140'
       log: 'Invalid user test2test from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: 'test2test'
       srcip: '11.0.0.27'
       srcport: '55140'
       log: 'Invalid user   from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: ' '
       srcip: '11.0.0.27'
       srcport: '55140'
       log: 'Invalid user      from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: '     '
       srcip: '11.0.0.27'
       srcport: '55140'

Regards,
Sergio.

@sergiospa sergiospa self-assigned this Jul 6, 2020
@sergiospa sergiospa added the decoders Decoders related issues label Jul 6, 2020
@NitroCao
Copy link

NitroCao commented Jul 7, 2020

This regex expression may also need to be modified

<regex offset="after_prematch">(\S+) from (\S+)</regex>

@vikman90 vikman90 changed the base branch from master to develop July 31, 2020 12:04
@vikman90 vikman90 changed the base branch from develop to master September 25, 2020 08:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
decoders Decoders related issues
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants