sshd-logs parser should match 'Connection closed by' lines even witho…

…ut 'invalid user' (current debian bookworm) (#1168) Co-authored-by: Laurence Jones <[email protected]>
crowdsecurity · Feb 3, 2025 · a3e65cc · a3e65cc
1 parent 13deb36
commit a3e65cc
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 3 deletions.
diff --git a/.tests/sshd-logs/parser.assert b/.tests/sshd-logs/parser.assert
@@ -1,5 +1,5 @@
 len(results) == 3
-len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 21
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 22
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog"
 results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "Invalid user pascal from 35.188.49.176 port 53502"
@@ -210,7 +210,17 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Meta["datasource_path"]
 results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Meta["datasource_type"] == "file"
 results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Meta["machine"] == "sd-126005"
 results["s00-raw"]["crowdsecurity/syslog-logs"][20].Evt.Whitelisted == false
-len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 21
+results["s00-raw"]["crowdsecurity/syslog-logs"][21].Success == true
+results["s00-raw"]["crowdsecurity/syslog-logs"][21].Evt.Parsed["logsource"] == "syslog"
+results["s00-raw"]["crowdsecurity/syslog-logs"][21].Evt.Parsed["message"] == "Connection closed by 118.27.24.104 port 33594 [preauth]"
+results["s00-raw"]["crowdsecurity/syslog-logs"][21].Evt.Parsed["pid"] == "36648"
+results["s00-raw"]["crowdsecurity/syslog-logs"][21].Evt.Parsed["program"] == "sshd"
+results["s00-raw"]["crowdsecurity/syslog-logs"][21].Evt.Parsed["timestamp"] == "Nov 19 11:28:15"
+results["s00-raw"]["crowdsecurity/syslog-logs"][21].Evt.Meta["datasource_path"] == "sshd-logs.log"
+results["s00-raw"]["crowdsecurity/syslog-logs"][21].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/syslog-logs"][21].Evt.Meta["machine"] == "myhost"
+results["s00-raw"]["crowdsecurity/syslog-logs"][21].Evt.Whitelisted == false
+len(results["s01-parse"]["crowdsecurity/sshd-logs"]) == 22
 results["s01-parse"]["crowdsecurity/sshd-logs"][0].Success == true
 results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["logsource"] == "syslog"
 results["s01-parse"]["crowdsecurity/sshd-logs"][0].Evt.Parsed["message"] == "Invalid user pascal from 35.188.49.176 port 53502"
@@ -524,4 +534,18 @@ results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Meta["service"] == "ssh"
 results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Meta["source_ip"] == "35.188.49.176"
 results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Meta["target_user"] == "pascal5"
 results["s01-parse"]["crowdsecurity/sshd-logs"][20].Evt.Whitelisted == false
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Success == true
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Parsed["logsource"] == "syslog"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Parsed["message"] == "Connection closed by 118.27.24.104 port 33594 [preauth]"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Parsed["pid"] == "36648"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Parsed["program"] == "sshd"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Parsed["sshd_client_ip"] == "118.27.24.104"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Parsed["timestamp"] == "Nov 19 11:28:15"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["datasource_path"] == "sshd-logs.log"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["log_type"] == "ssh_failed-auth"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["machine"] == "myhost"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["service"] == "ssh"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Meta["source_ip"] == "118.27.24.104"
+results["s01-parse"]["crowdsecurity/sshd-logs"][21].Evt.Whitelisted == false
 len(results["success"][""]) == 0
diff --git a/.tests/sshd-logs/sshd-logs.log b/.tests/sshd-logs/sshd-logs.log
@@ -19,3 +19,4 @@ Apr  6 18:51:41 eve sshd[2784424]: Failed password for invalid user root from 19
 Jul  1 09:30:56 usbkey sshd[8807]: fatal: Timeout before authentication for 192.168.9.212 port 47056
 Jul  2 11:32:16 instance-20240401-2335 sshd[309785]: ssh_dispatch_run_fatal: Connection from 192.168.9.213 port 48680: message authentication code incorrect [preauth]
 Feb 12 14:10:24 sd-126005 sshd-session[16379]: Invalid user pascal5 from 35.188.49.176 port 53502
+Nov 19 11:28:15 myhost sshd[36648]: Connection closed by 118.27.24.104 port 33594 [preauth]
diff --git a/parsers/s01-parse/crowdsecurity/sshd-logs.yaml b/parsers/s01-parse/crowdsecurity/sshd-logs.yaml
@@ -12,7 +12,7 @@ pattern_syntax:
   SSHD_MAGIC_VALUE_FAILED: 'Magic value check failed \(\d+\) on obfuscated handshake from %{IP_WORKAROUND:sshd_client_ip} port \d+'
   SSHD_INVALID_USER: 'Invalid user\s*%{USERNAME:sshd_invalid_user}? from %{IP_WORKAROUND:sshd_client_ip}( port \d+)?'
   SSHD_INVALID_BANNER: 'banner exchange: Connection from %{IP_WORKAROUND:sshd_client_ip} port \d+: invalid format'
-  SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection (closed|reset) by (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
+  SSHD_PREAUTH_AUTHENTICATING_USER: 'Connection (closed|reset) by( (authenticating|invalid) user %{USERNAME:sshd_invalid_user})? %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
   #following: https://github.com/crowdsecurity/crowdsec/issues/1201 - some scanners behave differently and trigger this one
   SSHD_PREAUTH_AUTHENTICATING_USER_ALT: 'Disconnected from (authenticating|invalid) user %{USERNAME:sshd_invalid_user} %{IP_WORKAROUND:sshd_client_ip} port \d+ \[preauth\]'
   SSHD_BAD_KEY_NEGOTIATION: 'Unable to negotiate with %{IP_WORKAROUND:sshd_client_ip} port \d+: no matching (host key type|key exchange method|MAC) found.'