search

jrossi / issue-migration-test

GNU General Public License v2.0
1 stars 0 forks source link

Trailing ) Cannot Be Escaped in Decoder #44

Open jrossi opened 10 years ago

jrossi commented 10 years ago

With the following decoder:

#!xml

<decoder name="barracuda-svf-admin">
  <program_name>^web</program_name>
</decoder>

<decoder name="barracuda-svf-admin-auth">
  <parent>barracuda-svf-admin</parent>
  <prematch>^[\d+.\d+.\d+.\d+] LOGIN|</prematch>
  <prematch>^[\d+.\d+.\d+.\d+] FAILED_LOGIN|</prematch>
  <prematch>^[\d+.\d+.\d+.\d+] LOGOUT</prematch>
  <regex offset="after_parent">^[(\d+.\d+.\d+.\d+)] (\S+) \((\S+)\)$</regex>
  <order>srcip,action,user</order>
</decoder>

And the following log line: Aug 2 11:15:03 172.16.0.1 web: [172.16.0.2] LOGIN (admin)

Username of admin is decoded with a trailing ) (e.g. "admin)"). The trailing ) is escaped in the decoder, so should not be included in the decoded username. Various other combinations, such as \p$ instead of )$ have also been tried with no success.

Note: This issue has been automatically migrated from Bitbucket Created by mstarks01 on 2013-08-05 19:28:20+00:00, last updated: 2013-10-17 13:06:51+00:00

jrossi commented 10 years ago

Do we have a lot sample for testing?

Something we should collect with anything like this so that I don't have to figurre it from regex ;)

Note: This comment has been automatically migrated from Bitbucket Created by jrossi on 2013-09-24 14:25:18+00:00

jrossi commented 10 years ago

Aug 2 11:15:03 172.16.0.1 web: [172.16.0.2] LOGIN (admin)

Note: This comment has been automatically migrated from Bitbucket Created by jrossi on 2013-09-24 15:05:34+00:00

jrossi commented 10 years ago

I have started looking into this and this the only code that OSSEC that I still don't understand. From a basic code review I don't see where the problems is and coming up. I will spend some more time looking into this over the coming days.

Note: This comment has been automatically migrated from Bitbucket Created by jrossi on 2013-10-16 19:18:52+00:00

jrossi commented 10 years ago

Hi, i think the end of a string is causing this problem. With the test binary in src/os_regex/examples i get

#!shell
./regex_str "(\S+)t" "hellot"
next pt: 't'
substrings:
  0: !hellot!

and

#!shell
./regex_str "(\S+)t" "hellott"
next pt: 'tt'
substrings:
  0: !hello!

Can you take a look at src/os_regex/os_regex_execute.c:273-276? If i delete the "if" condition and make the "else" condition default (by deleting line 273,274 and 275) it works for me and the test script ./run.sh does not complain a wrong test regex.

Note: This comment has been automatically migrated from Bitbucket Created by cgzones on 2013-10-17 13:06:51+00:00