From 124b913abcba550ca78f4c5943a9f7d933b18ddb Mon Sep 17 00:00:00 2001
From: Justin Ludwig <justin@arcemtene.com>
Date: Wed, 11 Mar 2020 12:19:53 -0700
Subject: [PATCH] Add 5 more actions to opensshd parser:

* disconnected from user
* accepted key ... found at
* read error with port
* kex exchange identification
* connect failed

Signed-off-by: Justin Ludwig <justin@arcemtene.com>
---
 .../transformer/processor/open_sshd_parser.py | 11 +++-
 .../test/processor/test_open_sshd_parser.py   | 52 +++++++++++++++++++
 2 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/transformer/furemcape/transformer/processor/open_sshd_parser.py b/transformer/furemcape/transformer/processor/open_sshd_parser.py
index 0fc9a39..19a0a29 100644
--- a/transformer/furemcape/transformer/processor/open_sshd_parser.py
+++ b/transformer/furemcape/transformer/processor/open_sshd_parser.py
@@ -20,11 +20,15 @@ MESSAGES = [
         r" for (?P<user>.+?) from (?P<ip>\S+)"
     ),
     re.compile(r"(?P<error>Did not receive identification string) from (?P<ip>\S+)"),
+    re.compile(
+        r"(?P<action>(?:Connection|Disconnected)) from user (?P<user>\S+) (?P<ip>\S+)"
+    ),
     re.compile(r"(?P<action>(?:Connection|Disconnected)) from (?P<ip>\S+)"),
     re.compile(
         r"(?P<action>(?:Accepted|Failed) publickey) for (?P<user>.+?)"
         r" from (?P<ip>\S+) port \d+ \S+: (?P<resource>.+)"
     ),
+    re.compile(r"(?P<action>Accepted key) (?P<resource>.+?) found at "),
     re.compile(
         r"pam_unix.sshd:session.: (?P<action>session (?:opened|closed))"
         r" for user (?P<user>\S+)"
@@ -43,8 +47,13 @@ MESSAGES = [
         r" with (?P<ip>\S+) port \d+: (?P<error>.+?)."
         r" Their offer: (?P<resource>.+)"
     ),
-    re.compile(r"(?P<action>Read error) from remote host (?P<ip>\S+): (?P<error>.+)"),
+    re.compile(
+        r"(?P<action>Read error) from remote host"
+        r" (?P<ip>\S+)(?: port \d+)?: (?P<error>.+)"
+    ),
+    re.compile(r"error: (?P<action>kex_exchange_identification): (?P<error>.+)"),
     re.compile(r"(?P<action>Postponed publickey) for (?P<user>.+?) from (?P<ip>\S+)"),
+    re.compile(r"channel \d+: open failed: (?P<action>connect failed): (?P<error>.+)"),
     re.compile(r"(?P<action>(?:Transferred|User child))[: ]"),
 ]
 
diff --git a/transformer/test/processor/test_open_sshd_parser.py b/transformer/test/processor/test_open_sshd_parser.py
index c9c3e16..d1f34d9 100644
--- a/transformer/test/processor/test_open_sshd_parser.py
+++ b/transformer/test/processor/test_open_sshd_parser.py
@@ -169,6 +169,17 @@ def test_process_disconnected_from():
     }
 
 
+def test_process_disconnected_from_user():
+    processor = OpenSshdParser()
+    message = "Disconnected from user justin 172.92.156.105 port 47184"
+    assert processor.process({"message": message}) == {
+        "message": message,
+        "user": "justin",
+        "ip": "172.92.156.105",
+        "action": "disconnected",
+    }
+
+
 def test_process_accepted_publickey():
     processor = OpenSshdParser()
     message = "Accepted publickey for dee from 74.133.6.0 port 59053 ssh2: RSA SHA256:kNQvizvVRmwyXTVioT58isAzLS3zd4BqkhGStn8v/GI"  # noqa: E501
@@ -193,6 +204,16 @@ def test_process_failed_publickey():
     }
 
 
+def test_process_accepted_key():
+    processor = OpenSshdParser()
+    message = "Accepted key ED25519 SHA256:TP18lkc7zWi1Q1PDV0/5QzhOFVQ60EC5pJD8kS12XQp found at /home/dee/.ssh/authorized_keys:3"  # noqa: E501
+    assert processor.process({"message": message}) == {
+        "message": message,
+        "action": "accepted key",
+        "resource": "ED25519 SHA256:TP18lkc7zWi1Q1PDV0/5QzhOFVQ60EC5pJD8kS12XQp",
+    }
+
+
 def test_process_postponed_publickey():
     processor = OpenSshdParser()
     message = (
@@ -321,6 +342,7 @@ def test_process_unable_to_negotiate():
 
 def test_process_read_error():
     processor = OpenSshdParser()
+
     message = "Read error from remote host 66.42.179.151: Connection timed out"
     assert processor.process({"message": message}) == {
         "message": message,
@@ -329,6 +351,36 @@ def test_process_read_error():
         "error": "connection timed out",
     }
 
+    message = (
+        "Read error from remote host 66.42.179.151 port 55580: Connection timed out"
+    )
+    assert processor.process({"message": message}) == {
+        "message": message,
+        "ip": "66.42.179.151",
+        "action": "read error",
+        "error": "connection timed out",
+    }
+
+
+def test_process_key_exchange_identification():
+    processor = OpenSshdParser()
+    message = "error: kex_exchange_identification: Connection closed by remote host"
+    assert processor.process({"message": message}) == {
+        "message": message,
+        "action": "kex_exchange_identification",
+        "error": "connection closed by remote host",
+    }
+
+
+def test_process_connect_failed():
+    processor = OpenSshdParser()
+    message = "channel 3: open failed: connect failed: Connection refused"
+    assert processor.process({"message": message}) == {
+        "message": message,
+        "action": "connect failed",
+        "error": "connection refused",
+    }
+
 
 def test_process_connection_transferred():
     processor = OpenSshdParser()
-- 
2.26.2