Jupyterhub support

[banditopazzo]

added basic rules for JupyterHub

[Zenidd]

Thanks for your contribution @banditopazzo ! The decoders and rules are ok. It's really cool that you also wrote the related tests.

Could you add a decoder for the user field extraction? This way its value could be used as a filter in the rules side. I think something as the example below should do the trick:

<decoder name="jupyterhub">
        <parent>jupyterhub</parent>
        <regex>User logged out: (\S+)|User logged in: (\S+)|Failed login for: (\S+)</regex>
        <order>user</order>
</decoder>

It would be great if you also add the user value in your rules description as in the example below:

<description>JupyterHub successful logout  $(user) account</description>

Let me know if I can provide further guidance. Greetings,
JP Sáez

[banditopazzo]

Hi @Zenidd , I tried your suggestion but if I insert the new decoder for the user field extraction it doesn't extract the already extracted field (date, time) anymore.

I don't know how to write a single regex that match every case and above all I don't it it's the best way of doing it

[Zenidd]

Hello again @banditopazzo,

I forgot to mention that you should segregate your decoder in two parts. First the prematch stage and then continue with regex sections in each child decoder as in the example below. Let me know if it works for you.

<decoder name="jupyterhub">
        <program_name>^python3</program_name>
        <prematch>JupyterHub</prematch>
</decoder>


<decoder name="jupyterhub-add">
        <parent>jupyterhub</parent>
        <regex>(\d\d\d\d-\d\d-\d\d) (\d\d:\d\d:\d\d)</regex>
        <order>date,time</order>
</decoder>


<decoder name="jupyterhub-add">
        <parent>jupyterhub</parent>
        <regex offset="after_regex">User logged out: (\S+)|User logged in: (\S+)|Failed login for (\S+)</regex>
        <order>user</order>
</decoder>

ossec-logtest example

Jan  7 14:38:49 BigDataScientistPlatform python3[3393]: [W 2020-01-07 14:38:49.394 JupyterHub base:670] Failed login for myusername


**Phase 1: Completed pre-decoding.
       full event: 'Jan  7 14:38:49 BigDataScientistPlatform python3[3393]: [W 2020-01-07 14:38:49.394 JupyterHub base:670] Failed login for myusername'
       timestamp: 'Jan  7 14:38:49'
       hostname: 'BigDataScientistPlatform'
       program_name: 'python3'
       log: '[W 2020-01-07 14:38:49.394 JupyterHub base:670] Failed login for myusername'

**Phase 2: Completed decoding.
       decoder: 'jupyterhub'
       date: '2020-01-07'
       time: '14:38:49'
       dstuser: 'myusername'

**Phase 3: Completed filtering (rules).
       Rule id: '88303'
       Level: '6'
       Description: 'JupyterHub authentication failed.'
**Alert to be generated.

Let me know how it goes. Greetings,
JP Sáez

[banditopazzo]

Hi @Zenidd ,

thank you for helping to understand how the decoders work. I have updated the files like you said, except I had to use dstuser instead of user in the message description, because user is a kind of reserved field I think.

regards