Open jrossi opened 10 years ago
Do we have a lot sample for testing?
Something we should collect with anything like this so that I don't have to figurre it from regex ;)
Note: This comment has been automatically migrated from Bitbucket Created by jrossi on 2013-09-24 14:25:18+00:00
Aug 2 11:15:03 172.16.0.1 web: [172.16.0.2] LOGIN (admin)
Note: This comment has been automatically migrated from Bitbucket Created by jrossi on 2013-09-24 15:05:34+00:00
I have started looking into this and this the only code that OSSEC that I still don't understand. From a basic code review I don't see where the problems is and coming up. I will spend some more time looking into this over the coming days.
Note: This comment has been automatically migrated from Bitbucket Created by jrossi on 2013-10-16 19:18:52+00:00
Hi, i think the end of a string is causing this problem. With the test binary in src/os_regex/examples i get
#!shell
./regex_str "(\S+)t" "hellot"
next pt: 't'
substrings:
0: !hellot!
and
#!shell
./regex_str "(\S+)t" "hellott"
next pt: 'tt'
substrings:
0: !hello!
Can you take a look at src/os_regex/os_regex_execute.c:273-276? If i delete the "if" condition and make the "else" condition default (by deleting line 273,274 and 275) it works for me and the test script ./run.sh does not complain a wrong test regex.
Note: This comment has been automatically migrated from Bitbucket Created by cgzones on 2013-10-17 13:06:51+00:00
With the following decoder:
And the following log line: Aug 2 11:15:03 172.16.0.1 web: [172.16.0.2] LOGIN (admin)
Username of admin is decoded with a trailing ) (e.g. "admin)"). The trailing ) is escaped in the decoder, so should not be included in the decoded username. Various other combinations, such as \p$ instead of )$ have also been tried with no success.
Note: This issue has been automatically migrated from Bitbucket Created by mstarks01 on 2013-08-05 19:28:20+00:00, last updated: 2013-10-17 13:06:51+00:00