~arx10/furemcape unlisted

124b913abcba550ca78f4c5943a9f7d933b18ddb — Justin Ludwig 8 months ago 2a16b9d
Add 5 more actions to opensshd parser:

* disconnected from user
* accepted key ... found at
* read error with port
* kex exchange identification
* connect failed

Signed-off-by: Justin Ludwig <justin@arcemtene.com>
M transformer/furemcape/transformer/processor/open_sshd_parser.py => transformer/furemcape/transformer/processor/open_sshd_parser.py +10 -1
@@ 20,11 20,15 @@ MESSAGES = [
        r" for (?P<user>.+?) from (?P<ip>\S+)"
    ),
    re.compile(r"(?P<error>Did not receive identification string) from (?P<ip>\S+)"),
    re.compile(
        r"(?P<action>(?:Connection|Disconnected)) from user (?P<user>\S+) (?P<ip>\S+)"
    ),
    re.compile(r"(?P<action>(?:Connection|Disconnected)) from (?P<ip>\S+)"),
    re.compile(
        r"(?P<action>(?:Accepted|Failed) publickey) for (?P<user>.+?)"
        r" from (?P<ip>\S+) port \d+ \S+: (?P<resource>.+)"
    ),
    re.compile(r"(?P<action>Accepted key) (?P<resource>.+?) found at "),
    re.compile(
        r"pam_unix.sshd:session.: (?P<action>session (?:opened|closed))"
        r" for user (?P<user>\S+)"


@@ 43,8 47,13 @@ MESSAGES = [
        r" with (?P<ip>\S+) port \d+: (?P<error>.+?)."
        r" Their offer: (?P<resource>.+)"
    ),
    re.compile(r"(?P<action>Read error) from remote host (?P<ip>\S+): (?P<error>.+)"),
    re.compile(
        r"(?P<action>Read error) from remote host"
        r" (?P<ip>\S+)(?: port \d+)?: (?P<error>.+)"
    ),
    re.compile(r"error: (?P<action>kex_exchange_identification): (?P<error>.+)"),
    re.compile(r"(?P<action>Postponed publickey) for (?P<user>.+?) from (?P<ip>\S+)"),
    re.compile(r"channel \d+: open failed: (?P<action>connect failed): (?P<error>.+)"),
    re.compile(r"(?P<action>(?:Transferred|User child))[: ]"),
]


M transformer/test/processor/test_open_sshd_parser.py => transformer/test/processor/test_open_sshd_parser.py +52 -0
@@ 169,6 169,17 @@ def test_process_disconnected_from():
    }


def test_process_disconnected_from_user():
    processor = OpenSshdParser()
    message = "Disconnected from user justin 172.92.156.105 port 47184"
    assert processor.process({"message": message}) == {
        "message": message,
        "user": "justin",
        "ip": "172.92.156.105",
        "action": "disconnected",
    }


def test_process_accepted_publickey():
    processor = OpenSshdParser()
    message = "Accepted publickey for dee from 74.133.6.0 port 59053 ssh2: RSA SHA256:kNQvizvVRmwyXTVioT58isAzLS3zd4BqkhGStn8v/GI"  # noqa: E501


@@ 193,6 204,16 @@ def test_process_failed_publickey():
    }


def test_process_accepted_key():
    processor = OpenSshdParser()
    message = "Accepted key ED25519 SHA256:TP18lkc7zWi1Q1PDV0/5QzhOFVQ60EC5pJD8kS12XQp found at /home/dee/.ssh/authorized_keys:3"  # noqa: E501
    assert processor.process({"message": message}) == {
        "message": message,
        "action": "accepted key",
        "resource": "ED25519 SHA256:TP18lkc7zWi1Q1PDV0/5QzhOFVQ60EC5pJD8kS12XQp",
    }


def test_process_postponed_publickey():
    processor = OpenSshdParser()
    message = (


@@ 321,6 342,7 @@ def test_process_unable_to_negotiate():

def test_process_read_error():
    processor = OpenSshdParser()

    message = "Read error from remote host 66.42.179.151: Connection timed out"
    assert processor.process({"message": message}) == {
        "message": message,


@@ 329,6 351,36 @@ def test_process_read_error():
        "error": "connection timed out",
    }

    message = (
        "Read error from remote host 66.42.179.151 port 55580: Connection timed out"
    )
    assert processor.process({"message": message}) == {
        "message": message,
        "ip": "66.42.179.151",
        "action": "read error",
        "error": "connection timed out",
    }


def test_process_key_exchange_identification():
    processor = OpenSshdParser()
    message = "error: kex_exchange_identification: Connection closed by remote host"
    assert processor.process({"message": message}) == {
        "message": message,
        "action": "kex_exchange_identification",
        "error": "connection closed by remote host",
    }


def test_process_connect_failed():
    processor = OpenSshdParser()
    message = "channel 3: open failed: connect failed: Connection refused"
    assert processor.process({"message": message}) == {
        "message": message,
        "action": "connect failed",
        "error": "connection refused",
    }


def test_process_connection_transferred():
    processor = OpenSshdParser()