From 5d47bf2f37dcff3af7b8e1a6be64af90bb78421a Mon Sep 17 00:00:00 2001 From: Phrozyn Date: Tue, 5 Mar 2019 15:21:27 -0600 Subject: [PATCH] Resolving issues with sshd events not parsing correctly. --- mq/esworker_sns_sqs.py | 2 +- mq/plugins/parse_sshd.py | 78 ++++++++++++++++++++++++---------------- 2 files changed, 48 insertions(+), 32 deletions(-) diff --git a/mq/esworker_sns_sqs.py b/mq/esworker_sns_sqs.py index 6605b0e5..9ce3274f 100755 --- a/mq/esworker_sns_sqs.py +++ b/mq/esworker_sns_sqs.py @@ -121,7 +121,7 @@ class taskConsumer(object): elif inside_message_key in ('type', 'category'): event['category'] = inside_message_value elif inside_message_key in ('summary','payload', 'message'): - event['summary'] = inside_message_value + event['summary'] = inside_message_value.lstrip() elif inside_message_key in ('source'): event['source'] = inside_message_value elif inside_message_key in ('fields', 'details'): diff --git a/mq/plugins/parse_sshd.py b/mq/plugins/parse_sshd.py index 6c4ea72b..fef50b49 100644 --- a/mq/plugins/parse_sshd.py +++ b/mq/plugins/parse_sshd.py @@ -10,8 +10,8 @@ class message(object): def __init__(self): ''' - takes an incoming sshd message - and sets the doc_type + takes an incoming sshd message and + parses sshd details into fields ''' self.registration = ['sshd'] @@ -23,35 +23,51 @@ class message(object): self.session_opened_regex = re.compile('^pam_unix\(sshd\:session\)\: session (opened|closed) for user (?P[a-zA-Z0-9\@._-]+)(?: by \(uid\=\d*\))?$') self.postponed_regex = re.compile('^Postponed (?P\w+) for (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P\d{1,5}) ssh2(?: \[preauth\])?$') self.starting_session_regex = re.compile('^Starting session: (?P\w+)(?: on )?(?Ppts/0)? for (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P\d{1,5})$') + self.unauthorized_user_regex = re.compile('^Invalid user (?P[a-zA-Z0-9\@._-]+) from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})?$') + self.userauth_request_regex = re.compile('^input_userauth_request: invalid user (?P[a-zA-Z0-9\@._-]+) \[preauth\]') + self.disconnect_regex = re.compile('^Received disconnect from (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}): (?P\d{1,5}): (|Bye Bye|Normal Shutdown, Thank you for playing) \[preauth\]') - if 'details' in message: - if 'program' in message['details'] and message['details']['program'] == 'sshd': - msg_unparsed = message['summary'] - if msg_unparsed.startswith('Accepted'): - accepted_search = re.search(self.accepted_regex, msg_unparsed) - if accepted_search: - message['details']['authstatus'] = accepted_search.group('authstatus') - message['details']['authmethod'] = accepted_search.group('authmethod') - message['details']['username'] = accepted_search.group('username') - message['details']['sourceipaddress'] = accepted_search.group('sourceipaddress') - message['details']['sourceport'] = accepted_search.group('sourceport') - message['details']['rsakeyfingerprint'] = accepted_search.group('rsakeyfingerprint') - if msg_unparsed.startswith('pam_unix'): - session_opened_search = re.search(self.session_opened_regex, msg_unparsed) - if session_opened_search: - message['details']['username'] = session_opened_search.group('username') - if msg_unparsed.startswith('Postponed'): - postponed_search = re.search(self.postponed_regex, msg_unparsed) - if postponed_search: - message['details']['username'] = postponed_search.group('username') - message['details']['authmethod'] = postponed_search.group('authmethod') - if msg_unparsed.startswith('Starting session'): - starting_session_search = re.search(self.starting_session_regex, msg_unparsed) - if starting_session_search: - message['details']['sessiontype'] = starting_session_search.group('sessiontype') - message['details']['username'] = starting_session_search.group('username') - message['details']['sourceipaddress'] = starting_session_search.group('sourceipaddress') - message['details']['sourceport'] = starting_session_search.group('sourceport') - message['details']['device'] = starting_session_search.group('device') + if 'processname' in message and message['processname'] == 'sshd': + msg_unparsed = message['summary'] + if msg_unparsed.startswith('Accepted'): + accepted_search = re.search(self.accepted_regex, msg_unparsed) + if accepted_search: + message['details']['authstatus'] = accepted_search.group('authstatus') + message['details']['authmethod'] = accepted_search.group('authmethod') + message['details']['username'] = accepted_search.group('username') + message['details']['sourceipaddress'] = accepted_search.group('sourceipaddress') + message['details']['sourceport'] = accepted_search.group('sourceport') + message['details']['rsakeyfingerprint'] = accepted_search.group('rsakeyfingerprint') + if msg_unparsed.startswith('pam_unix'): + session_opened_search = re.search(self.session_opened_regex, msg_unparsed) + if session_opened_search: + message['details']['username'] = session_opened_search.group('username') + if msg_unparsed.startswith('Postponed'): + postponed_search = re.search(self.postponed_regex, msg_unparsed) + if postponed_search: + message['details']['username'] = postponed_search.group('username') + message['details']['authmethod'] = postponed_search.group('authmethod') + if msg_unparsed.startswith('Starting session'): + starting_session_search = re.search(self.starting_session_regex, msg_unparsed) + if starting_session_search: + message['details']['sessiontype'] = starting_session_search.group('sessiontype') + message['details']['username'] = starting_session_search.group('username') + message['details']['sourceipaddress'] = starting_session_search.group('sourceipaddress') + message['details']['sourceport'] = starting_session_search.group('sourceport') + message['details']['device'] = starting_session_search.group('device') + if msg_unparsed.startswith('Invalid user'): + starting_session_search = re.search(self.unauthorized_user_regex, msg_unparsed) + if starting_session_search: + message['details']['username'] = starting_session_search.group('username') + message['details']['sourceipaddress'] = starting_session_search.group('sourceipaddress') + if msg_unparsed.startswith('input_userauth_request'): + starting_session_search = re.search(self.userauth_request_regex, msg_unparsed) + if starting_session_search: + message['details']['username'] = starting_session_search.group('username') + if msg_unparsed.startswith('Received disconnect from'): + starting_session_search = re.search(self.disconnect_regex, msg_unparsed) + if starting_session_search: + message['details']['sourceipaddress'] = starting_session_search.group('sourceipaddress') + message['details']['sourceport'] = starting_session_search.group('sourceport') return (message, metadata)