jkppr
commented
3 days ago Hi @J-A-Sec , thanks for the recommended change. Do you want to add a PR with this change as well?
Line in question: https://github.com/google/timesketch/blob/master/data/regex_features.yaml#L128
@tomchop fyi as author of the regex line affected, any objections?
tomchop
The regex at line 128 in regex_features.yaml to extract client IP addresses from SSH logs does not account for usernames containing a full stop "."
I suggest amending this to something like the below. I have not tested all permutations of username, but the suggested regex assumes any character compliant with POSIX.1-2017.
Original:
(?:Accepted|Failed) (?:password|publickey) for \w+ from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+Suggested:
(?:Accepted|Failed) (?:password|publickey) for [A-Za-z0-9._-]+? from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+