Updates to parse_sshd.py to account for other fingerprint types.

mq/plugins/parse_sshd.py

@@ -24,15 +24,14 @@ class message(object):
 
     def onMessage(self, message, metadata):
 
-        self.accepted_regex = re.compile('^(?P<authstatus>\w+) (?P<authmethod>\w+) for (?P<username>[a-zA-Z0-9\@._-]+) from (?P<sourceipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P<sourceport>\d{1,5}) ssh2(\:\sRSA\s)?(?:(?P<rsakeyfingerprint>(\w+\:){15}\w+))?$')
+        self.accepted_regex = re.compile('^(?P<authstatus>\w+) (?P<authmethod>\w+) for (?P<username>[a-zA-Z0-9\@._-]+) from (?P<sourceipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P<sourceport>\d{1,5}) ssh2(\:\sRSA\s)?(?:(?P<rsakeyfingerprint>(\S+)))?$')
         self.session_opened_regex = re.compile('^pam_unix\(sshd\:session\)\: session (opened|closed) for user (?P<username>[a-zA-Z0-9\@._-]+)(?: by \(uid\=\d*\))?$')
         self.postponed_regex = re.compile('^Postponed (?P<authmethod>\w+) for (?P<username>[a-zA-Z0-9\@._-]+) from (?P<sourceipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P<sourceport>\d{1,5}) ssh2(?: \[preauth\])?$')
         self.starting_session_regex = re.compile('^Starting session: (?P<sessiontype>\w+)(?: on )?(?P<device>pts/0)? for (?P<username>[a-zA-Z0-9\@._-]+) from (?P<sourceipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P<sourceport>\d{1,5})$')
         self.session_closed_regex = re.compile('^pam_unix\(sshd\:session\)\: session closed for user (?P<username>[a-zA-Z0-9\@._-]+)$')
 
-        if 'details' in message:
-            if 'program' in message['details']:
-                if message['details']['program'] == 'sshd':
+        if 'processname' in message or 'details' in message:
+            if ('program' in message['details'] and message['details'] == 'sshd') or message['processname'] == 'sshd':
                     msg_unparsed = message['summary']
                     if msg_unparsed.startswith('Accepted'):
                         accepted_search = re.search(self.accepted_regex, msg_unparsed)
@@ -45,8 +44,11 @@ class message(object):
                             message['details']['rsakeyfingerprint'] = accepted_search.group('rsakeyfingerprint')
                     if msg_unparsed.startswith('pam_unix'):
                         session_opened_search = re.search(self.session_opened_regex, msg_unparsed)
+                        session_closed_search = re.search(self.session_closed_regex, msg_unparsed)
                         if session_opened_search:
                             message['details']['username'] = session_opened_search.group('username')
+                        if session_closed_search:
+                            message['details']['username'] = session_closed_search.group('username')
                     if msg_unparsed.startswith('Postponed'):
                         postponed_search = re.search(self.postponed_regex, msg_unparsed)
                         if postponed_search:

tests/mq/plugins/test_parse_sshd.py

@@ -53,6 +53,29 @@ class TestSSHDAcceptedMessageV1():
         assert retmessage['details']['authstatus'] == 'Accepted'
         assert retmessage['details']['sourceipaddress'] == '10.22.74.208'
 
+# Long Username and SHA256 fpr present
+class TestSSHDAcceptedMessageV1():
+    def setup(self):
+        
+        self.msgobj = message()
+        self.msg = copy.deepcopy(accept_message)
+        self.msg['summary'] = 'Accepted publickey for user1@domainname.com from 10.22.248.134 port 52216 ssh2: RSA SHA256:1fPhSawXQzFDrJoN2uSos2nGg3wS3oGp15x8/HR+pBc'
+    
+    def test_onMessage(self):
+        metadata = {}
+        metadata['doc_type'] = 'event'
+
+        (retmessage, retmeta) = self.msgobj.onMessage(self.msg, metadata)
+
+        assert retmessage is not None
+        assert retmeta is not None
+        assert retmessage['details']['username'] == 'user1@domainname.com'
+        assert retmessage['details']['rsakeyfingerprint'] == 'SHA256:1fPhSawXQzFDrJoN2uSos2nGg3wS3oGp15x8/HR+pBc'
+        assert retmessage['details']['authmethod'] == 'publickey'
+        assert retmessage['details']['sourceport'] == '52216'
+        assert retmessage['details']['authstatus'] == 'Accepted'
+        assert retmessage['details']['sourceipaddress'] == '10.22.248.134'
+
 
 # Long username
 class TestSSHDAcceptedMessageV2():