M transformer/furemcape/transformer/processor/open_sshd_parser.py => transformer/furemcape/transformer/processor/open_sshd_parser.py +10 -1
@@ 20,11 20,15 @@ MESSAGES = [
r" for (?P<user>.+?) from (?P<ip>\S+)"
),
re.compile(r"(?P<error>Did not receive identification string) from (?P<ip>\S+)"),
+ re.compile(
+ r"(?P<action>(?:Connection|Disconnected)) from user (?P<user>\S+) (?P<ip>\S+)"
+ ),
re.compile(r"(?P<action>(?:Connection|Disconnected)) from (?P<ip>\S+)"),
re.compile(
r"(?P<action>(?:Accepted|Failed) publickey) for (?P<user>.+?)"
r" from (?P<ip>\S+) port \d+ \S+: (?P<resource>.+)"
),
+ re.compile(r"(?P<action>Accepted key) (?P<resource>.+?) found at "),
re.compile(
r"pam_unix.sshd:session.: (?P<action>session (?:opened|closed))"
r" for user (?P<user>\S+)"
@@ 43,8 47,13 @@ MESSAGES = [
r" with (?P<ip>\S+) port \d+: (?P<error>.+?)."
r" Their offer: (?P<resource>.+)"
),
- re.compile(r"(?P<action>Read error) from remote host (?P<ip>\S+): (?P<error>.+)"),
+ re.compile(
+ r"(?P<action>Read error) from remote host"
+ r" (?P<ip>\S+)(?: port \d+)?: (?P<error>.+)"
+ ),
+ re.compile(r"error: (?P<action>kex_exchange_identification): (?P<error>.+)"),
re.compile(r"(?P<action>Postponed publickey) for (?P<user>.+?) from (?P<ip>\S+)"),
+ re.compile(r"channel \d+: open failed: (?P<action>connect failed): (?P<error>.+)"),
re.compile(r"(?P<action>(?:Transferred|User child))[: ]"),
]
M transformer/test/processor/test_open_sshd_parser.py => transformer/test/processor/test_open_sshd_parser.py +52 -0
@@ 169,6 169,17 @@ def test_process_disconnected_from():
}
+def test_process_disconnected_from_user():
+ processor = OpenSshdParser()
+ message = "Disconnected from user justin 172.92.156.105 port 47184"
+ assert processor.process({"message": message}) == {
+ "message": message,
+ "user": "justin",
+ "ip": "172.92.156.105",
+ "action": "disconnected",
+ }
+
+
def test_process_accepted_publickey():
processor = OpenSshdParser()
message = "Accepted publickey for dee from 74.133.6.0 port 59053 ssh2: RSA SHA256:kNQvizvVRmwyXTVioT58isAzLS3zd4BqkhGStn8v/GI" # noqa: E501
@@ 193,6 204,16 @@ def test_process_failed_publickey():
}
+def test_process_accepted_key():
+ processor = OpenSshdParser()
+ message = "Accepted key ED25519 SHA256:TP18lkc7zWi1Q1PDV0/5QzhOFVQ60EC5pJD8kS12XQp found at /home/dee/.ssh/authorized_keys:3" # noqa: E501
+ assert processor.process({"message": message}) == {
+ "message": message,
+ "action": "accepted key",
+ "resource": "ED25519 SHA256:TP18lkc7zWi1Q1PDV0/5QzhOFVQ60EC5pJD8kS12XQp",
+ }
+
+
def test_process_postponed_publickey():
processor = OpenSshdParser()
message = (
@@ 321,6 342,7 @@ def test_process_unable_to_negotiate():
def test_process_read_error():
processor = OpenSshdParser()
+
message = "Read error from remote host 66.42.179.151: Connection timed out"
assert processor.process({"message": message}) == {
"message": message,
@@ 329,6 351,36 @@ def test_process_read_error():
"error": "connection timed out",
}
+ message = (
+ "Read error from remote host 66.42.179.151 port 55580: Connection timed out"
+ )
+ assert processor.process({"message": message}) == {
+ "message": message,
+ "ip": "66.42.179.151",
+ "action": "read error",
+ "error": "connection timed out",
+ }
+
+
+def test_process_key_exchange_identification():
+ processor = OpenSshdParser()
+ message = "error: kex_exchange_identification: Connection closed by remote host"
+ assert processor.process({"message": message}) == {
+ "message": message,
+ "action": "kex_exchange_identification",
+ "error": "connection closed by remote host",
+ }
+
+
+def test_process_connect_failed():
+ processor = OpenSshdParser()
+ message = "channel 3: open failed: connect failed: Connection refused"
+ assert processor.process({"message": message}) == {
+ "message": message,
+ "action": "connect failed",
+ "error": "connection refused",
+ }
+
def test_process_connection_transferred():
processor = OpenSshdParser()