Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle extracting IP address from unnamed Data element that isn't the first child of EventData #8

Closed
Aldaviva opened this issue Dec 8, 2022 · 0 comments
Closed

Handle extracting IP address from unnamed Data element that isn't the first child of EventData #8

Aldaviva opened this issue Dec 8, 2022 · 0 comments
Assignees
@Aldaviva
Labels
enhancement New feature or request
Milestone
1.1.0

Comments

@Aldaviva
Copy link
Owner

Aldaviva commented Dec 8, 2022

Event log entries have the IP address in one of the child Data elements inside the EventData element.

Currently, there are two ways to specify which Data element to search for the IP address in:

  • by name, if the Data element happens to have a Name attribute, set ipAddressEventDataName to the attribute value (e.g. payload) 
    <EventData>
    <Data Name="process">sshd</Data>
    <Data Name="payload">Failed password for invalid user foo bar from 192.168.1.7 port 49721 ssh2</Data>
</EventData>
  • the first one, if the Data element does not have a Name attribute 
    <EventData>
    <Data>Failed password for invalid user foo bar from 192.168.1.7 port 49721 ssh2</Data>
</EventData>

This does not handle the case where there are multiple unnamed Data elements, and the IP address is not in the first one.

<EventData>
    <Data>a</Data>
    <Data>b</Data>
    <Data>c</Data>
    <Data>1.2.3.4</Data>
</EventData>

I can think of two approaches that may help:

  • if ipAddressEventDataName is empty, iterate through all child Data elements until a match is found, instead of only looking at the first one
  • allow the rule to specify the index of the unnamed data element, such as 3, not just the Name attribute value
@Aldaviva Aldaviva added the enhancement New feature or request label Dec 8, 2022
@Aldaviva Aldaviva self-assigned this Dec 8, 2022
Aldaviva added a commit that referenced this issue Dec 8, 2022
@Aldaviva
#8: Handle extracting IP address from unnamed Data element that isn't…
9aee9ee 
… the first child of EventData
@Aldaviva Aldaviva added this to the 1.1.0 milestone Dec 8, 2022
@Aldaviva Aldaviva closed this as completed Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Aldaviva Aldaviva

Labels
enhancement New feature or request
Projects
None yet
Milestone
1.1.0
Development

No branches or pull requests
1 participant
@Aldaviva