mpurzynski · August 25, 2017 18:03
diff --git a/something.py b/something.py

 import sys
 import os
 import re
 sys.path.append(os.path.join(os.path.dirname(__file__), "../../lib"))
 from utilities.toUTC import toUTC
 import pdb


 class message(object):
    
    def __init__(self):
        '''
        takes an incoming sshd message
        and sets the doc_type
        '''

        self.registration = ['sshd']
        self.priority = 5


    def parse_msg(self, message, rc):

        rm = {}

        try:
            rm = rc.match(message['_source']['summary']).groupdict()
        except:
            message['_source']['details']['parsingerror'] = 'True'
            pass

        return rm


    def onMessage(self, message, metadata):
        
        exps = []
        exps.append('(?P<authstatus>\w+) (?P<authmethod>\w+) for (?P<username>[a-zA-Z0-9\@._-]+) from (?P<sourceipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P<sourceport>\d{1,5}) ssh2(\:\sRSA\s)?(?:(?P<rsakeyfingerprint>(\w+\:){15}\w+))?')
            
        for exp in exps:
            rc = re.compile(exp)
            parsed_fields = self.parse_msg(message, rc)

        for k in parsed_fields:
            message['_source']['details'][k] = parsed_fields[k]

        return (message, metadata)

	import sys
	import os
	import re
	sys.path.append(os.path.join(os.path.dirname(__file__), "../../lib"))
	from utilities.toUTC import toUTC
	import pdb


	class message(object):

	def __init__(self):
	'''
	takes an incoming sshd message
	and sets the doc_type
	'''

	self.registration = ['sshd']
	self.priority = 5


	def parse_msg(self, message, rc):

	rm = {}

	try:
	rm = rc.match(message['_source']['summary']).groupdict()
	except:
	message['_source']['details']['parsingerror'] = 'True'
	pass

	return rm


	def onMessage(self, message, metadata):

	exps = []
	exps.append('(?P<authstatus>\w+) (?P<authmethod>\w+) for (?P<username>[a-zA-Z0-9\@._-]+) from (?P<sourceipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?P<sourceport>\d{1,5}) ssh2(\:\sRSA\s)?(?:(?P<rsakeyfingerprint>(\w+\:){15}\w+))?')

	for exp in exps:
	rc = re.compile(exp)
	parsed_fields = self.parse_msg(message, rc)

	for k in parsed_fields:
	message['_source']['details'][k] = parsed_fields[k]

	return (message, metadata)
No results found