Update ssh releng alert to take new event format into consideration (#1719)

alerts/ssh_access_signreleng.py

@@ -19,11 +19,14 @@ class AlertAuthSignRelengSSH(AlertTask):
         if self.config['channel'] == '':
             self.config['channel'] = None
 
+        summary_query = PhraseMatch('summary', 'Accepted publickey for ')
+        summary_query |= PhraseMatch('summary', 'Accepted keyboard-interactive/pam for ')
+
         search_query.add_must([
             TermMatch('tags', 'releng'),
             TermMatch('details.program', 'sshd'),
             QueryStringMatch('hostname: /{}/'.format(self.config['hostfilter'])),
-            PhraseMatch('summary', 'Accepted publickey for ')
+            summary_query,
         ])
 
         for exclusion in self.config['exclusions']:
@@ -57,9 +60,14 @@ class AlertAuthSignRelengSSH(AlertTask):
                 sourceipaddress = x['details']['sourceipaddress']
 
         targetuser = 'unknown'
-        found_usernames = re.findall(r'Accepted publickey for ([A-Za-z0-9]+) from', event['_source']['summary'])
-        if len(found_usernames) > 0:
-            targetuser = found_usernames[0]
+        if 'Accepted publickey for' in event['_source']['summary']:
+            found_usernames = re.findall(r'Accepted publickey for ([A-Za-z0-9]+) from', event['_source']['summary'])
+            if len(found_usernames) > 0:
+                targetuser = found_usernames[0]
+        elif 'Accepted keyboard-interactive/pam' in event['_source']['summary']:
+            found_usernames = re.findall(r'Accepted keyboard-interactive/pam for ([A-Za-z0-9]+) from', event['_source']['summary'])
+            if len(found_usernames) > 0:
+                targetuser = found_usernames[0]
 
         summary = 'SSH login from {0} on {1} as user {2}'.format(sourceipaddress, targethost, targetuser)
         return self.createAlertDict(summary, category, tags, [event], severity, channel=self.config['channel'])

tests/alerts/test_ssh_access_signreleng.py

@@ -152,3 +152,15 @@ class TestAlertSSHAccessSignReleng(AlertTestSuite):
             expected_alert=default_alert
         )
     )
+
+    event = AlertTestSuite.create_event(default_event)
+    event['_source']['summary'] = '[68208]: Accepted keyboard-interactive/pam for ttesterson from 1.2.3.4 port 50942 ssh2'
+    alert = AlertTestSuite.create_alert(default_alert)
+    alert['summary'] = 'SSH login from 1.2.3.4 on host1 as user ttesterson'
+    test_cases.append(
+        PositiveAlertTestCase(
+            description="Positive test case with good keyboard/pam event",
+            events=[event],
+            expected_alert=alert
+        )
+    )