wazuh-ruleset Fix error in ssd decoder when username is one or more blank spaces

Fix error in ssd decoder when username is one or more blank spaces

Open sergiospa opened this issue 4 years ago • 1 comments

Hi team,

This PR aims to fix an error of the sshd decoder. When srcuser is one or more blank spaces, it is not extracted from the log. srcip is not extracted as well.

The change I made has been tested under the following usernames:

test.
test2test.
' ' - one blank space.
' ' - 5 blank spaces (Github won't let me show them correctly)

The results have been good. All fields are extracted:

       log: 'Invalid user test from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: 'test'
       srcip: '11.0.0.27'
       srcport: '55140'

       log: 'Invalid user test2test from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: 'test2test'
       srcip: '11.0.0.27'
       srcport: '55140'

       log: 'Invalid user   from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: ' '
       srcip: '11.0.0.27'
       srcport: '55140'

       log: 'Invalid user      from 11.0.0.27 port 55140'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       srcuser: '     '
       srcip: '11.0.0.27'
       srcport: '55140'

Regards, Sergio.

Jul 06 '20 13:07 sergiospa

This regex expression may also need to be modified https://github.com/wazuh/wazuh-ruleset/blob/533fc77885614bca02dec4c7d5f6e2bd54a2d6c4/decoders/0310-ssh_decoders.xml#L96

Jul 07 '20 07:07 NitroCao

wazuh-ruleset wazuh-ruleset copied to clipboard

Fix error in ssd decoder when username is one or more blank spaces

wazuh-ruleset
wazuh-ruleset copied to clipboard