Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

regex failing in decoder #519

Open
ghost opened this issue Jan 31, 2015 · 5 comments
Open

regex failing in decoder #519

ghost opened this issue Jan 31, 2015 · 5 comments

Comments

@ghost
Copy link

ghost commented Jan 31, 2015

I have the following regex in a decoder

<regex>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: Security: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<regex>(\.+)Source</regex>

and the following event

2015 Jan 31 11:46:55 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: server: An account failed to log on. Subject:  Security ID:  S-1-5-18  Account Name:  server$  Account Domain:  WORKGROUP  Logon ID:  0x3e7  Logon Type:   10  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:  Administrator  Account Domain:  server  Failure Information:  Failure Reason:  %%2313  Status:   0xc000006d  Sub Status:  0xc000006a  Process Information:  Caller Process ID: 0x19d4  Caller Process Name: C:\Windows\System32\winlogon.exe  Network Information:  Workstation Name: server  Source Network Address: 1.1.1.1  Source Port:  1591  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon request fails. It is generated on the computer where access was attempted.

Everything between the first "server: " and "Source Network Address" should be captured by the last regex tag. However, the regex not only fails, but also crashes. By removing the last tag, it works perfectly.

It looks like the system cannot use full words to stop processing the regex, like if (.+)Source fails because the word "Source" is used to stop the "eating process" of .+

Is this supposed to be the right behavior?

Thanks.
@ddpbsd
Copy link
Member

ddpbsd commented Jan 31, 2015

Shouldn't those be (.+) ?
On Jan 31, 2015 12:33 PM, "mfbiux" notifications@github.com wrote:

I have the following regex in a decoder

^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: Security: (\w+)((\d+)):
(.+):
(.+): .+: (\S+):
(.+)Source

and the following event

2015 Jan 31 11:46:55 WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain: server: An
account failed to log on. Subject: Security ID: S-1-5-18 Account Name:
server$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10 Account
For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator
Account Domain: server Failure Information: Failure Reason: %%2313 Status:
0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID:
0x19d4 Caller Process Name: C:\Windows\System32\winlogon.exe Network
Information: Workstation Name: server Source Network Address: 1.1.1.1
Source Port: 1591 Detailed Authentication Information: Logon Process:
User32 Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon request
fails. It is generated on the computer where access was attempted.

Everything between the first "server: " and "Source Network Address"
should be captured by the last regex tag. However, the regex not only
fails, but also crashes. By removing the last tag, it works perfectly.

It looks like the system cannot used full words to stop processing the
regex, like if (.+)Source failes because the word "Source" is used.

Is this supposed to be the right behavior?

Thanks.

Reply to this email directly or view it on GitHub
#519.

@ghost
Copy link
Author

ghost commented Feb 1, 2015

Yes, I apologize, the git editor removed the backslashes, I added them the right way.

Any ideas why this could be failing? I forgot to mention that the prematch:

^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: Security: \.* Source Network Address: \S+

works correctly, the .* bit of regex successfully parses everything between "... Security:" and " Source". It's like the problem is limited to the regex tag.

@jrossi
Copy link
Member

jrossi commented Feb 1, 2015

Can you update them use code blocks section so that we can figure out what is happening this has become very hard to follow with the changes. I have already edited your issue with the code block markdown syntax, but still need the content update by you.

Thank you

@ghost
Copy link
Author

ghost commented Feb 1, 2015

Thanks for the heads up, I couldn't find the code blocks option in the editor. I've updated the content accordingly.

@ddpbsd
Copy link
Member

ddpbsd commented Feb 10, 2015

Using:

<regex>(\.+)Subject</regex>

seems to work, anything past that stops working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrossi @ddpbsd