wazuh-ruleset icon indicating copy to clipboard operation
wazuh-ruleset copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Fix error in ssd decoder when username is one or more blank spaces

Open sergiospa opened this issue 5 years ago • 1 comments
trafficstars

Hi team,

This PR aims to fix an error of the sshd decoder. When srcuser is one or more blank spaces, it is not extracted from the log. srcip is not extracted as well.

The change I made has been tested under the following usernames:

  • test.
  • test2test.
  • ' ' - one blank space.
  • ' ' - 5 blank spaces (Github won't let me show them correctly)

The results have been good. All fields are extracted:

       log: 'Invalid user test from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: 'test'
       srcip: '11.0.0.27'
       srcport: '55140'

       log: 'Invalid user test2test from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: 'test2test'
       srcip: '11.0.0.27'
       srcport: '55140'

       log: 'Invalid user   from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: ' '
       srcip: '11.0.0.27'
       srcport: '55140'

       log: 'Invalid user      from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: '     '
       srcip: '11.0.0.27'
       srcport: '55140'

Regards, Sergio.

sergiospa avatar Jul 06 '20 13:07 sergiospa

This regex expression may also need to be modified https://github.com/wazuh/wazuh-ruleset/blob/533fc77885614bca02dec4c7d5f6e2bd54a2d6c4/decoders/0310-ssh_decoders.xml#L96

NitroCao avatar Jul 07 '20 07:07 NitroCao