From ef17f65eb289e7fb0d95701c8f68acf19a329e5a Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 6 Oct 2024 00:29:11 +0000 Subject: [PATCH] Added support for additional IIS log username variants (#4904) --- plaso/parsers/text_plugins/iis.py | 4 ++-- test_data/iis10_edge_cases.log | 2 ++ tests/parsers/text_plugins/iis.py | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/plaso/parsers/text_plugins/iis.py b/plaso/parsers/text_plugins/iis.py index 1bf6a7fe73..4e9f329be9 100644 --- a/plaso/parsers/text_plugins/iis.py +++ b/plaso/parsers/text_plugins/iis.py @@ -101,8 +101,8 @@ class WinIISTextPlugin(interface.TextPlugin): lambda tokens: int(tokens[0], 10)) | _BLANK # Username can consist of: "domain.username", "domain\username", - # "domain\user$" or "-" for an anonymous user. - _USERNAME = pyparsing.Word(pyparsing.alphanums + '-.\\$') | _BLANK + # "domain\user$", "domain/user", "user@domain" or "-" for an anonymous user. + _USERNAME = pyparsing.Word(pyparsing.alphanums + '-.\\$@/') | _BLANK _URI_SAFE_CHARACTERS = '/.?&+;_=()-:,%' diff --git a/test_data/iis10_edge_cases.log b/test_data/iis10_edge_cases.log index 89ad80e57d..016380b183 100644 --- a/test_data/iis10_edge_cases.log +++ b/test_data/iis10_edge_cases.log @@ -14,3 +14,5 @@ 2022-01-01 18:42:36 ::1 POST /ews/exchange.asmx &request_id=GHJGJYHG-ea2f-4e0f-894c-tdtyd667tyftyf 444 RaDomain\RandomMailbox3242354 ::1 Ews_Probe/Local+(ExchangeServicesClient/15.01.25965.004) - 200 0 0 102 2022-01-01 18:42:37 ::1 POST /mapi/emdata/ useMailboxOfAuthenticatedUser=true 444 RaDomain\RandomMailbox3242354 ::1 MapiHttpClient - 200 0 0 4 2022-01-01 18:42:55 ::1 GET /rancertloc/logoff.aspx ActID=werwer-3e02-56456-ererere545-sdf8798798dfh 444 RaDomain\RandomMailbox3242354 ::1 Mozilla/4.0+(compatible;+MSIE+12.0;+Trident/7.0;+rv:12.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+BACKLOOK) - 302 0 0 5 +2022-01-01 00:01:24 ::1 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.4467 444 random/ranuser1 ::1 Microsoft+WinRM+Client - 200 0 0 15 +2022-01-01 00:01:24 ::1 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.4467 444 ranuser1@random ::1 Microsoft+WinRM+Client - 200 0 0 15 diff --git a/tests/parsers/text_plugins/iis.py b/tests/parsers/text_plugins/iis.py index 59ae75d675..76134a28f4 100644 --- a/tests/parsers/text_plugins/iis.py +++ b/tests/parsers/text_plugins/iis.py @@ -176,7 +176,7 @@ def testProcessWithIIS10Log(self): number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') - self.assertEqual(number_of_event_data, 12) + self.assertEqual(number_of_event_data, 14) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning')