From 211ab423e7d182d31225e77c7371f793ab590637 Mon Sep 17 00:00:00 2001 From: Brandon Myers Date: Wed, 31 Jul 2019 17:53:08 -0500 Subject: [PATCH] Update regex strings --- alerts/plugins/ip_source_enrichment.py | 4 ++-- alerts/proxy_drop_executable.py | 2 +- alerts/ssh_access_signreleng.py | 2 +- alerts/ssh_lateral.py | 2 +- alerts/unauth_ssh.py | 2 +- cron/createFDQNBlockList.py | 2 +- mq/plugins/parse_sshd.py | 14 +++++++------- mq/plugins/parse_su.py | 2 +- rest/plugins/fqdnblocklist.py | 2 +- .../query_models/test_query_string_match.py | 6 +++--- 10 files changed, 19 insertions(+), 19 deletions(-) diff --git a/alerts/plugins/ip_source_enrichment.py b/alerts/plugins/ip_source_enrichment.py index 81bf172a..5cfac54c 100644 --- a/alerts/plugins/ip_source_enrichment.py +++ b/alerts/plugins/ip_source_enrichment.py @@ -20,8 +20,8 @@ CONFIG_FILE = os.path.join( def _find_ip_addresses(string): '''List all of the IPv4 and IPv6 addresses found in a string.''' - ipv4_rx = '(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' - ipv6_rx = '(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))' + ipv4_rx = r'(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' + ipv6_rx = r'(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))' ipv4 = re.findall(ipv4_rx, string) ipv6_map = map( diff --git a/alerts/proxy_drop_executable.py b/alerts/proxy_drop_executable.py index 4c8f25a8..8be6411e 100644 --- a/alerts/proxy_drop_executable.py +++ b/alerts/proxy_drop_executable.py @@ -24,7 +24,7 @@ class AlertProxyDropExecutable(AlertTask): ) # Only notify on certain file extensions from config - filename_regex = "/.*\.({0})/".format(self.config.extensions.replace(",", "|")) + filename_regex = r"/.*\.({0})/".format(self.config.extensions.replace(",", "|")) search_query.add_must( [QueryStringMatch("details.destination: {}".format(filename_regex))] ) diff --git a/alerts/ssh_access_signreleng.py b/alerts/ssh_access_signreleng.py index a2cf5c66..9b5c961d 100644 --- a/alerts/ssh_access_signreleng.py +++ b/alerts/ssh_access_signreleng.py @@ -57,7 +57,7 @@ class AlertAuthSignRelengSSH(AlertTask): sourceipaddress = x['details']['sourceipaddress'] targetuser = 'unknown' - expr = re.compile('Accepted publickey for ([A-Za-z0-9]+) from') + expr = re.compile(r'Accepted publickey for ([A-Za-z0-9]+) from') m = expr.match(event['_source']['summary']) groups = m.groups() if len(groups) > 0: diff --git a/alerts/ssh_lateral.py b/alerts/ssh_lateral.py index dedd988c..969d30d6 100644 --- a/alerts/ssh_lateral.py +++ b/alerts/ssh_lateral.py @@ -124,7 +124,7 @@ class SshLateral(AlertTask): source_ips = [] users = [] for x in aggreg['events']: - m = re.match('Accepted publickey for (\S+) from (\S+).*', x['_source']['summary']) + m = re.match(r'Accepted publickey for (\S+) from (\S+).*', x['_source']['summary']) if m is not None and len(m.groups()) == 2: ipaddr = netaddr.IPAddress(m.group(2)) for y in self._config['alertifsource']: diff --git a/alerts/unauth_ssh.py b/alerts/unauth_ssh.py index 1764258c..94a59228 100644 --- a/alerts/unauth_ssh.py +++ b/alerts/unauth_ssh.py @@ -65,7 +65,7 @@ class AlertUnauthSSH(AlertTask): sourceipaddress = x['details']['sourceipaddress'] targetuser = 'unknown' - expr = re.compile('Accepted publickey for ([A-Za-z0-9@.\-]+) from') + expr = re.compile(r'Accepted publickey for ([A-Za-z0-9@.\-]+) from') m = expr.match(event['_source']['summary']) groups = m.groups() if len(groups) > 0: diff --git a/cron/createFDQNBlockList.py b/cron/createFDQNBlockList.py index 4358f05c..a92a16a6 100644 --- a/cron/createFDQNBlockList.py +++ b/cron/createFDQNBlockList.py @@ -49,7 +49,7 @@ def isFQDN(fqdn): # We could resolve FQDNs here, but that could tip our hand and it's # possible us investigating could trigger other alerts. # validate using the regex from https://github.com/yolothreat/utilitybelt - fqdn_re = re.compile('(?=^.{4,255}$)(^((?!-)[a-zA-Z0-9-]{1,63}(?\w+) (?P\w+) for (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P\d{1,5}) ssh2(\:\sRSA\s)?(?:(?P(\S+)))?$') - self.session_opened_regex = re.compile('^pam_unix\(sshd\:session\)\: session (opened|closed) for user (?P[a-zA-Z0-9\@._-]+)(?: by \(uid\=\d*\))?$') - self.postponed_regex = re.compile('^Postponed (?P\w+) for (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P\d{1,5}) ssh2(?: \[preauth\])?$') - self.starting_session_regex = re.compile('^Starting session: (?P\w+)(?: on )?(?Ppts/0)? for (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P\d{1,5})$') - self.unauthorized_user_regex = re.compile('^Invalid user (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})?$') - self.userauth_request_regex = re.compile('^input_userauth_request: invalid user (?P[a-zA-Z0-9\@._-]+) \[preauth\]') - self.disconnect_regex = re.compile('^Received disconnect from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}): (?P\d{1,5}): (|Bye Bye|Normal Shutdown, Thank you for playing) \[preauth\]') + self.accepted_regex = re.compile(r'^(?P\w+) (?P\w+) for (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P\d{1,5}) ssh2(\:\sRSA\s)?(?:(?P(\S+)))?$') + self.session_opened_regex = re.compile(r'^pam_unix\(sshd\:session\)\: session (opened|closed) for user (?P[a-zA-Z0-9\@._-]+)(?: by \(uid\=\d*\))?$') + self.postponed_regex = re.compile(r'^Postponed (?P\w+) for (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P\d{1,5}) ssh2(?: \[preauth\])?$') + self.starting_session_regex = re.compile(r'^Starting session: (?P\w+)(?: on )?(?Ppts/0)? for (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P\d{1,5})$') + self.unauthorized_user_regex = re.compile(r'^Invalid user (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})?$') + self.userauth_request_regex = re.compile(r'^input_userauth_request: invalid user (?P[a-zA-Z0-9\@._-]+) \[preauth\]') + self.disconnect_regex = re.compile(r'^Received disconnect from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}): (?P\d{1,5}): (|Bye Bye|Normal Shutdown, Thank you for playing) \[preauth\]') if 'processname' in message and message['processname'] == 'sshd': msg_unparsed = message['summary'] diff --git a/mq/plugins/parse_su.py b/mq/plugins/parse_su.py index 367fa683..2836a381 100644 --- a/mq/plugins/parse_su.py +++ b/mq/plugins/parse_su.py @@ -22,7 +22,7 @@ class message(object): def onMessage(self, message, metadata): - self.session_regexp = re.compile('^pam_unix\(su(?:-l)?\:session\)\: session (?P\w+) for user (?P\w+)(?: (?:by (?:(?P\w+))?\(uid\=(?P[0-9]+)\)?)?)?$') + self.session_regexp = re.compile(r'^pam_unix\(su(?:-l)?\:session\)\: session (?P\w+) for user (?P\w+)(?: (?:by (?:(?P\w+))?\(uid\=(?P[0-9]+)\)?)?)?$') if 'details' in message: if 'program' in message['details']: diff --git a/rest/plugins/fqdnblocklist.py b/rest/plugins/fqdnblocklist.py index 5bdff5e4..04d05077 100644 --- a/rest/plugins/fqdnblocklist.py +++ b/rest/plugins/fqdnblocklist.py @@ -19,7 +19,7 @@ def isFQDN(fqdn): # We could resolve FQDNs here, but that could tip our hand and it's # possible us investigating could trigger other alerts. # validate using the regex from https://github.com/yolothreat/utilitybelt - fqdn_re = re.compile('(?=^.{4,255}$)(^((?!-)[a-zA-Z0-9-]{1,63}(?