From 595db7a9489e3ceac3754f18cefab0f06baf68bf Mon Sep 17 00:00:00 2001
From: banditopazzo <banditopazzo@gmail.com>
Date: Tue, 7 Jan 2020 17:47:59 +0100
Subject: [PATCH 1/3] added jupyter hub support

---
 decoders/0485-jupyterhub_decoders.xml    | 17 +++++++++
 rules/0690-jupyterhub_rules.xml          | 44 ++++++++++++++++++++++++
 tools/rules-testing/tests/jupyterhub.ini | 22 ++++++++++++
 3 files changed, 83 insertions(+)
 create mode 100644 decoders/0485-jupyterhub_decoders.xml
 create mode 100644 rules/0690-jupyterhub_rules.xml
 create mode 100644 tools/rules-testing/tests/jupyterhub.ini

diff --git a/decoders/0485-jupyterhub_decoders.xml b/decoders/0485-jupyterhub_decoders.xml
new file mode 100644
index 000000000..18d13c79d
--- /dev/null
+++ b/decoders/0485-jupyterhub_decoders.xml
@@ -0,0 +1,17 @@
+<!--JUPYTERHUB-->
+
+<!--
+-  JupyterHub ruleset
+-  Created by banditopazzo.
+-  Copyright (C) 2015-2019, Wazuh Inc.
+-  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+
+<!-- ID: 88300 - 88399 -->
+
+<decoder name="jupyterhub">
+	<program_name>^python3</program_name>
+	<prematch>JupyterHub</prematch>
+	<regex>(\d\d\d\d-\d\d-\d\d) (\d\d:\d\d:\d\d)</regex>
+	<order>date,time</order>
+</decoder>
diff --git a/rules/0690-jupyterhub_rules.xml b/rules/0690-jupyterhub_rules.xml
new file mode 100644
index 000000000..7c1d9e5be
--- /dev/null
+++ b/rules/0690-jupyterhub_rules.xml
@@ -0,0 +1,44 @@
+<!--JUPYTERHUB-->
+
+<!--
+-  JupyterHub ruleset
+-  Created by banditopazzo.
+-  Copyright (C) 2015-2019, Wazuh Inc.
+-  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+
+<!-- ID: 88300 - 88399 -->
+
+<group name="syslog,jupyterhub">
+
+	<rule id="88300" level="0">
+		<decoded_as>jupyterhub</decoded_as>
+		<description>JupyterHub messages grouped.</description>
+		<options>no_full_log</options>
+	</rule>
+
+	<rule id="88301" level="6">
+		<if_sid>88300</if_sid>
+		<match>User logged out:</match>
+		<description>JupyterHub logout successful.</description>
+		<group>pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+		<options>no_full_log</options>
+	</rule>
+
+	<rule id="88302" level="6">
+		<if_sid>88300</if_sid>
+		<match>User logged in:</match>
+		<description>JupyterHub authentication successful.</description>
+		<group>authentication_success,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+		<options>no_full_log</options>
+	</rule>
+
+	<rule id="88303" level="6">
+		<if_sid>88300</if_sid>
+		<match>Failed login for </match>
+		<description>JupyterHub authentication failed.</description>
+		<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+		<options>no_full_log</options>
+	</rule>
+
+</group>
diff --git a/tools/rules-testing/tests/jupyterhub.ini b/tools/rules-testing/tests/jupyterhub.ini
new file mode 100644
index 000000000..d24e80c69
--- /dev/null
+++ b/tools/rules-testing/tests/jupyterhub.ini
@@ -0,0 +1,22 @@
+[JupyterHub logout successful.]
+log 1 pass = Jan  7 14:40:51 BigDataScientistPlatform python3[3393]: [I 2020-01-07 14:40:51.829 JupyterHub login:43] User logged out: myusername
+
+
+rule = 88301
+alert = 6
+decoder = jupyterhub
+
+[JupyterHub authentication successful.]
+log 1 pass = Jan  7 14:40:03 BigDataScientistPlatform python3[3393]: [I 2020-01-07 14:40:03.639 JupyterHub base:663] User logged in: myusername
+
+
+rule = 88302
+alert = 6
+decoder = jupyterhub
+
+[JupyterHub authentication failed.]
+log 1 pass = Jan  7 14:38:49 BigDataScientistPlatform python3[3393]: [W 2020-01-07 14:38:49.394 JupyterHub base:670] Failed login for myusername
+
+rule = 88303
+alert = 6
+decoder = jupyterhub

From 216f56abce3b4c88708f241692701597cd94d90c Mon Sep 17 00:00:00 2001
From: banditopazzo <banditopazzo@gmail.com>
Date: Tue, 7 Jan 2020 17:50:04 +0100
Subject: [PATCH 2/3] fixed empty lines in test

---
 tools/rules-testing/tests/jupyterhub.ini | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tools/rules-testing/tests/jupyterhub.ini b/tools/rules-testing/tests/jupyterhub.ini
index d24e80c69..884e68af2 100644
--- a/tools/rules-testing/tests/jupyterhub.ini
+++ b/tools/rules-testing/tests/jupyterhub.ini
@@ -1,7 +1,6 @@
 [JupyterHub logout successful.]
 log 1 pass = Jan  7 14:40:51 BigDataScientistPlatform python3[3393]: [I 2020-01-07 14:40:51.829 JupyterHub login:43] User logged out: myusername
 
-
 rule = 88301
 alert = 6
 decoder = jupyterhub
@@ -9,7 +8,6 @@ decoder = jupyterhub
 [JupyterHub authentication successful.]
 log 1 pass = Jan  7 14:40:03 BigDataScientistPlatform python3[3393]: [I 2020-01-07 14:40:03.639 JupyterHub base:663] User logged in: myusername
 
-
 rule = 88302
 alert = 6
 decoder = jupyterhub

From dd4f384f331d31457ca17382e717440d51e85b87 Mon Sep 17 00:00:00 2001
From: banditopazzo <banditopazzo@gmail.com>
Date: Wed, 22 Jan 2020 11:28:29 +0100
Subject: [PATCH 3/3] jupyterhub user field extraction

---
 decoders/0485-jupyterhub_decoders.xml | 10 ++++++++++
 rules/0690-jupyterhub_rules.xml       |  6 +++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/decoders/0485-jupyterhub_decoders.xml b/decoders/0485-jupyterhub_decoders.xml
index 18d13c79d..3673ab34d 100644
--- a/decoders/0485-jupyterhub_decoders.xml
+++ b/decoders/0485-jupyterhub_decoders.xml
@@ -12,6 +12,16 @@
 <decoder name="jupyterhub">
 	<program_name>^python3</program_name>
 	<prematch>JupyterHub</prematch>
+</decoder>
+
+<decoder name="jupyterhub-add">
+	<parent>jupyterhub</parent>
 	<regex>(\d\d\d\d-\d\d-\d\d) (\d\d:\d\d:\d\d)</regex>
 	<order>date,time</order>
 </decoder>
+
+<decoder name="jupyterhub-add">
+	<parent>jupyterhub</parent>
+	<regex offset="after_regex">User logged out: (\S+)|User logged in: (\S+)|Failed login for (\S+)</regex>
+	<order>user</order>
+</decoder>
diff --git a/rules/0690-jupyterhub_rules.xml b/rules/0690-jupyterhub_rules.xml
index 7c1d9e5be..89f55803e 100644
--- a/rules/0690-jupyterhub_rules.xml
+++ b/rules/0690-jupyterhub_rules.xml
@@ -20,7 +20,7 @@
 	<rule id="88301" level="6">
 		<if_sid>88300</if_sid>
 		<match>User logged out:</match>
-		<description>JupyterHub logout successful.</description>
+		<description>JupyterHub successful logout $(dstuser) account.</description>
 		<group>pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
 		<options>no_full_log</options>
 	</rule>
@@ -28,7 +28,7 @@
 	<rule id="88302" level="6">
 		<if_sid>88300</if_sid>
 		<match>User logged in:</match>
-		<description>JupyterHub authentication successful.</description>
+		<description>JupyterHub successful authentication $(dstuser) account.</description>
 		<group>authentication_success,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
 		<options>no_full_log</options>
 	</rule>
@@ -36,7 +36,7 @@
 	<rule id="88303" level="6">
 		<if_sid>88300</if_sid>
 		<match>Failed login for </match>
-		<description>JupyterHub authentication failed.</description>
+		<description>JupyterHub failed authentication $(dstuser) account.</description>
 		<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
 		<options>no_full_log</options>
 	</rule>