mssql: handle named instance in the parser (#867)

crowdsecurity · Nov 2, 2023 · 379257a · 379257a
1 parent 11b349d
commit 379257a
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/.index.json b/.index.json
@@ -3995,7 +3995,7 @@
   "crowdsecurity/mssql-logs": {
    "path": "parsers/s01-parse/crowdsecurity/mssql-logs.yaml",
    "stage": "s01-parse",
-   "version": "0.2",
+   "version": "0.3",
    "versions": {
     "0.1": {
      "digest": "9c99578104a9158ada41bb8dd920575a83d494e6f6e2d166eb5773fb4d7023b1",
@@ -4004,10 +4004,14 @@
     "0.2": {
      "digest": "2c39d0c3f1cf4124d5e3cc113c733b2ef220522d01706b5434382240de10b147",
      "deprecated": false
+    },
+    "0.3": {
+     "digest": "b9dc0a3b53d5e1ad6eeae3e1beb04d01afe62111e80d5871b77caee2e7172cfd",
+     "deprecated": false
     }
    },
    "long_description": "UGFyc2VyIGZvciBNU1NRTCBMb2dzIHZpYSB3aW5ldmVudGxvZyBPUiBNU1NRTCBsb2dzIGZvciBbQXp1cmUtRWRnZS1TcWxdKGh0dHBzOi8vaHViLmRvY2tlci5jb20vXy9taWNyb3NvZnQtYXp1cmUtc3FsLWVkZ2UpIHZpYSBkb2NrZXIKCmBgYHlhbWwKLS0tCnNvdXJjZTogd2luZXZlbnRsb2cKZXZlbnRfY2hhbm5lbDogQXBwbGljYXRpb24KZXZlbnRfaWRzOgogLSAxODQ1NgpldmVudF9sZXZlbDogaW5mb3JtYXRpb24KbGFiZWxzOgogdHlwZTogbXNzcWwKLS0tCnNvdXJjZTogZG9ja2VyCmNvbnRhaW5lcl9pZDoKIC0gPERvY2tlciBDb250YWluZXIgSUQ+ICNBenVyZS1FZGdlLVNxbCBjb250YWluZXIgSUQKY29udGFpbmVyX25hbWVfcmVnZXhwOgogLSAuKm1zc3FsKgpsYWJlbHM6CiAgdHlwZTogbXNzcWwKYGBgCg==",
-   "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCm5hbWU6IGNyb3dkc2VjdXJpdHkvbXNzcWwtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIG1zc3FsIGxvZ3MiCmZpbHRlcjogImV2dC5QYXJzZWQuQ2hhbm5lbCA9PSAnQXBwbGljYXRpb24nICYmIGV2dC5QYXJzZWQuU291cmNlID09ICdNU1NRTFNFUlZFUicgJiYgZXZ0LlBhcnNlZC5FdmVudElEID09ICcxODQ1NiciCm5vZGVzOgogIC0gZ3JvazoKICAgICAgcGF0dGVybjogIlJlYXNvbjogUGFzc3dvcmQgZGlkIG5vdCBtYXRjaCB0aGF0IGZvciB0aGUgbG9naW4gcHJvdmlkZWRcXC4iCiAgICAgIGV4cHJlc3Npb246IFhNTEdldE5vZGVWYWx1ZShldnQuTGluZS5SYXcsICIvRXZlbnQvRXZlbnREYXRhWzFdL0RhdGFbMl0iKQogICAgbm9kZXM6CiAgICAgIC0gZ3JvazoKICAgICAgICAgIHBhdHRlcm46ICJcXFtDTElFTlQ6ICV7SVA6c291cmNlX2lwfVxcXSIKICAgICAgICAgIGV4cHJlc3Npb246IFhNTEdldE5vZGVWYWx1ZShldnQuTGluZS5SYXcsICIvRXZlbnQvRXZlbnREYXRhWzFdL0RhdGFbM10iKQogICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnNvdXJjZV9pcAogICAgc3RhdGljczoKICAgICAgLSBtZXRhOiBzdWJ0eXBlCiAgICAgICAgdmFsdWU6IGJhZF9wYXNzd29yZAogIC0gZ3JvazoKICAgICAgcGF0dGVybjogIlJlYXNvbjogQ291bGQgbm90IGZpbmQgYSBsb2dpbiBtYXRjaGluZyB0aGUgbmFtZSBwcm92aWRlZFxcLiIKICAgICAgZXhwcmVzc2lvbjogWE1MR2V0Tm9kZVZhbHVlKGV2dC5MaW5lLlJhdywgIi9FdmVudC9FdmVudERhdGFbMV0vRGF0YVsyXSIpCiAgICBub2RlczoKICAgICAgLSBncm9rOgogICAgICAgICAgcGF0dGVybjogIlxcW0NMSUVOVDogJXtJUDpzb3VyY2VfaXB9XFxdIgogICAgICAgICAgZXhwcmVzc2lvbjogWE1MR2V0Tm9kZVZhbHVlKGV2dC5MaW5lLlJhdywgIi9FdmVudC9FdmVudERhdGFbMV0vRGF0YVszXSIpCiAgICAgICAgICBzdGF0aWNzOgogICAgICAgICAgICAtIG1ldGE6IHNvdXJjZV9pcAogICAgICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQuc291cmNlX2lwCiAgICBzdGF0aWNzOgogICAgICAtIG1ldGE6IHN1YnR5cGUKICAgICAgICB2YWx1ZTogYmFkX3VzZXIKc3RhdGljczoKICAtIG1ldGE6IGxvZ190eXBlCiAgICB2YWx1ZTogbXNzcWxfZmFpbGVkX2F1dGgKICAtIG1ldGE6IHVzZXIKICAgIGV4cHJlc3Npb246IFhNTEdldE5vZGVWYWx1ZShldnQuTGluZS5SYXcsICIvRXZlbnQvRXZlbnREYXRhWzFdL0RhdGFbMV0iKQotLS0Kb25zdWNjZXNzOiBuZXh0X3N0YWdlCm5hbWU6IGNyb3dkc2VjdXJpdHkvbXNzcWwtdGV4dC1sb2dzCmRlc2NyaXB0aW9uOiAiUGFyc2UgbXNzcWwgbG9ncyIKZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdtc3NxbCciCnBhdHRlcm5fc3ludGF4OgogIERBVEVfWU1EOiAiJXtZRUFSOnllYXJ9LSV7TU9OVEhOVU06bW9udGh9LSV7TU9OVEhEQVk6ZGF5fSIKbm9kZXM6CiAgLSBncm9rOgogICAgICBwYXR0ZXJuOiAiJXtEQVRFX1lNRDpkYXRlfSAle1RJTUU6dGltZX0gTG9nb24uKkxvZ2luIGZhaWxlZCBmb3IgdXNlciAnJXtOT1REUVVPVEU6dXNlcn0nLiBSZWFzb246ICV7R1JFRURZREFUQTpyZWFzb25fbWVzc2FnZX0uIFxcW0NMSUVOVDogJXtJUE9SSE9TVDpzb3VyY2VfaXB9XFxdIgogICAgICBhcHBseV9vbjogbWVzc2FnZQogICAgb25zdWNjZXNzOiBuZXh0X3N0YWdlCiAgICBub2RlczoKICAgICAgLSBmaWx0ZXI6ICJldnQuUGFyc2VkLnJlYXNvbl9tZXNzYWdlID09ICdQYXNzd29yZCBkaWQgbm90IG1hdGNoIHRoYXQgZm9yIHRoZSBsb2dpbiBwcm92aWRlZCciCiAgICAgICAgb25zdWNjZXNzOiBuZXh0X3N0YWdlCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogc3VidHlwZQogICAgICAgICAgICB2YWx1ZTogYmFkX3Bhc3N3b3JkCiAgICAgIC0gZmlsdGVyOiAiZXZ0LlBhcnNlZC5yZWFzb25fbWVzc2FnZSA9PSAnQ291bGQgbm90IGZpbmQgYSBsb2dpbiBtYXRjaGluZyB0aGUgbmFtZSBwcm92aWRlZCciCiAgICAgICAgb25zdWNjZXNzOiBuZXh0X3N0YWdlCiAgICAgICAgc3RhdGljczoKICAgICAgICAgIC0gbWV0YTogc3VidHlwZQogICAgICAgICAgICB2YWx1ZTogYmFkX3VzZXIKc3RhdGljczoKICAgIC0gbWV0YTogc2VydmljZQogICAgICB2YWx1ZTogbXNzcWwKICAgIC0gbWV0YTogbG9nX3R5cGUKICAgICAgdmFsdWU6IG1zc3FsX2ZhaWxlZF9hdXRoCiAgICAtIG1ldGE6IHNvdXJjZV9pcAogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zb3VyY2VfaXAiCiAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuZGF0ZSArICcgJyArIGV2dC5QYXJzZWQudGltZSI=",
+   "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCm5hbWU6IGNyb3dkc2VjdXJpdHkvbXNzcWwtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIG1zc3FsIGxvZ3MiCmZpbHRlcjogImV2dC5QYXJzZWQuQ2hhbm5lbCA9PSAnQXBwbGljYXRpb24nICYmIChldnQuUGFyc2VkLlNvdXJjZSA9PSAnTVNTUUxTRVJWRVInIHx8IGV2dC5QYXJzZWQuU291cmNlIHN0YXJ0c1dpdGggJ01TU1FMJCcpICYmIGV2dC5QYXJzZWQuRXZlbnRJRCA9PSAnMTg0NTYnIgpub2RlczoKICAtIGdyb2s6CiAgICAgIHBhdHRlcm46ICJSZWFzb246IFBhc3N3b3JkIGRpZCBub3QgbWF0Y2ggdGhhdCBmb3IgdGhlIGxvZ2luIHByb3ZpZGVkXFwuIgogICAgICBleHByZXNzaW9uOiBYTUxHZXROb2RlVmFsdWUoZXZ0LkxpbmUuUmF3LCAiL0V2ZW50L0V2ZW50RGF0YVsxXS9EYXRhWzJdIikKICAgIG5vZGVzOgogICAgICAtIGdyb2s6CiAgICAgICAgICBwYXR0ZXJuOiAiXFxbQ0xJRU5UOiAle0lQOnNvdXJjZV9pcH1cXF0iCiAgICAgICAgICBleHByZXNzaW9uOiBYTUxHZXROb2RlVmFsdWUoZXZ0LkxpbmUuUmF3LCAiL0V2ZW50L0V2ZW50RGF0YVsxXS9EYXRhWzNdIikKICAgICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAgIC0gbWV0YTogc291cmNlX2lwCiAgICAgICAgICAgICAgZXhwcmVzc2lvbjogZXZ0LlBhcnNlZC5zb3VyY2VfaXAKICAgIHN0YXRpY3M6CiAgICAgIC0gbWV0YTogc3VidHlwZQogICAgICAgIHZhbHVlOiBiYWRfcGFzc3dvcmQKICAtIGdyb2s6CiAgICAgIHBhdHRlcm46ICJSZWFzb246IENvdWxkIG5vdCBmaW5kIGEgbG9naW4gbWF0Y2hpbmcgdGhlIG5hbWUgcHJvdmlkZWRcXC4iCiAgICAgIGV4cHJlc3Npb246IFhNTEdldE5vZGVWYWx1ZShldnQuTGluZS5SYXcsICIvRXZlbnQvRXZlbnREYXRhWzFdL0RhdGFbMl0iKQogICAgbm9kZXM6CiAgICAgIC0gZ3JvazoKICAgICAgICAgIHBhdHRlcm46ICJcXFtDTElFTlQ6ICV7SVA6c291cmNlX2lwfVxcXSIKICAgICAgICAgIGV4cHJlc3Npb246IFhNTEdldE5vZGVWYWx1ZShldnQuTGluZS5SYXcsICIvRXZlbnQvRXZlbnREYXRhWzFdL0RhdGFbM10iKQogICAgICAgICAgc3RhdGljczoKICAgICAgICAgICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgICAgICAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnNvdXJjZV9pcAogICAgc3RhdGljczoKICAgICAgLSBtZXRhOiBzdWJ0eXBlCiAgICAgICAgdmFsdWU6IGJhZF91c2VyCnN0YXRpY3M6CiAgLSBtZXRhOiBsb2dfdHlwZQogICAgdmFsdWU6IG1zc3FsX2ZhaWxlZF9hdXRoCiAgLSBtZXRhOiB1c2VyCiAgICBleHByZXNzaW9uOiBYTUxHZXROb2RlVmFsdWUoZXZ0LkxpbmUuUmF3LCAiL0V2ZW50L0V2ZW50RGF0YVsxXS9EYXRhWzFdIikKLS0tCm9uc3VjY2VzczogbmV4dF9zdGFnZQpuYW1lOiBjcm93ZHNlY3VyaXR5L21zc3FsLXRleHQtbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIG1zc3FsIGxvZ3MiCmZpbHRlcjogImV2dC5QYXJzZWQucHJvZ3JhbSA9PSAnbXNzcWwnIgpwYXR0ZXJuX3N5bnRheDoKICBEQVRFX1lNRDogIiV7WUVBUjp5ZWFyfS0le01PTlRITlVNOm1vbnRofS0le01PTlRIREFZOmRheX0iCm5vZGVzOgogIC0gZ3JvazoKICAgICAgcGF0dGVybjogIiV7REFURV9ZTUQ6ZGF0ZX0gJXtUSU1FOnRpbWV9IExvZ29uLipMb2dpbiBmYWlsZWQgZm9yIHVzZXIgJyV7Tk9URFFVT1RFOnVzZXJ9Jy4gUmVhc29uOiAle0dSRUVEWURBVEE6cmVhc29uX21lc3NhZ2V9LiBcXFtDTElFTlQ6ICV7SVBPUkhPU1Q6c291cmNlX2lwfVxcXSIKICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgIG9uc3VjY2VzczogbmV4dF9zdGFnZQogICAgbm9kZXM6CiAgICAgIC0gZmlsdGVyOiAiZXZ0LlBhcnNlZC5yZWFzb25fbWVzc2FnZSA9PSAnUGFzc3dvcmQgZGlkIG5vdCBtYXRjaCB0aGF0IGZvciB0aGUgbG9naW4gcHJvdmlkZWQnIgogICAgICAgIG9uc3VjY2VzczogbmV4dF9zdGFnZQogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIG1ldGE6IHN1YnR5cGUKICAgICAgICAgICAgdmFsdWU6IGJhZF9wYXNzd29yZAogICAgICAtIGZpbHRlcjogImV2dC5QYXJzZWQucmVhc29uX21lc3NhZ2UgPT0gJ0NvdWxkIG5vdCBmaW5kIGEgbG9naW4gbWF0Y2hpbmcgdGhlIG5hbWUgcHJvdmlkZWQnIgogICAgICAgIG9uc3VjY2VzczogbmV4dF9zdGFnZQogICAgICAgIHN0YXRpY3M6CiAgICAgICAgICAtIG1ldGE6IHN1YnR5cGUKICAgICAgICAgICAgdmFsdWU6IGJhZF91c2VyCnN0YXRpY3M6CiAgICAtIG1ldGE6IHNlcnZpY2UKICAgICAgdmFsdWU6IG1zc3FsCiAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgIHZhbHVlOiBtc3NxbF9mYWlsZWRfYXV0aAogICAgLSBtZXRhOiBzb3VyY2VfaXAKICAgICAgZXhwcmVzc2lvbjogImV2dC5QYXJzZWQuc291cmNlX2lwIgogICAgLSB0YXJnZXQ6IGV2dC5TdHJUaW1lCiAgICAgIGV4cHJlc3Npb246ICJldnQuUGFyc2VkLmRhdGUgKyAnICcgKyBldnQuUGFyc2VkLnRpbWUi",
    "description": "Parse mssql logs",
    "author": "crowdsecurity",
    "labels": null

diff --git a/parsers/s01-parse/crowdsecurity/mssql-logs.yaml b/parsers/s01-parse/crowdsecurity/mssql-logs.yaml
@@ -1,7 +1,7 @@
 onsuccess: next_stage
 name: crowdsecurity/mssql-logs
 description: "Parse mssql logs"
-filter: "evt.Parsed.Channel == 'Application' && evt.Parsed.Source == 'MSSQLSERVER' && evt.Parsed.EventID == '18456'"
+filter: "evt.Parsed.Channel == 'Application' && (evt.Parsed.Source == 'MSSQLSERVER' || evt.Parsed.Source startsWith 'MSSQL$') && evt.Parsed.EventID == '18456'"
 nodes:
   - grok:
       pattern: "Reason: Password did not match that for the login provided\\."