Regex, logstash and passwords


(Matt Oney) #1

So I'm looking for a way to detect when someone enters their password and then subst out the password for hashes. The 1.1.1.8 is an example, it could be any ip address.

From this I want to detect if there is a password there

net use I: \1.1.1.8\E$ /user:domain\username password /persistent:yes

Look behind, almost seems to have it but I can't get it to stop after the space after username...

(?<=/user:)(.*)(?<=\s)

net use I: \1.1.1.8\E$ /user:domain\username password /persistent:yes

when I need it to get -

net use I: \1.1.1.8\E$ /user:domain\username password /persistent:yes

https://regexr.com/3i6va

... it would be something like this to gsub the password out and replace with ###

filter {
if [event_id] == 4688 {
mutate {
gsub => ["[event_data][CommandLine]", "(?<=/user:)(.*)(?<=\s)",
"########" ]
}
}
}

...I think I can get the gsub to work but for the life of me I can't get that regex to work.

Thanks!


(Guy Boertje) #2

Perhaps (?:\/user:\w+\s)(\S+)(?:\s)

https://regexr.com/3inrv


(Matt Oney) #3

Hey @guyboertje,

Man closer but that seems to hit the userame as well - I mean I could use that... but I really want to get that regex to just grab the password...
/user:domainusername password
wanted to see if it could grab just the password no /user:domainusername

I know I'm stubborn :slight_smile:


(Guy Boertje) #4

Ahh. Now, this works in Ruby 2.4.0 (?:\/user:\w+\s)\K(\S+)(?=\s) :slight_smile: but it does not in JRuby 9.1.13.0 :frowning:

It does work with JRuby 9.1.15.0 :slight_smile: but LS is will not ship with that version for a while because other bugs :frowning:

I can't think of a way to do what you want differently.


(Matt Oney) #5

I appreciate the effort @guyboertje!


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.