Merge pull request #2488 from DigitalTrustCenter/fix-dataplane-as-wit…

…h-pipe Fix dataplane parser failing to parse AS names with pipe characters
certtools · Apr 4, 2024 · 4eb0f7a · 4eb0f7a
2 parents 4acde13 + 2add395
commit 4eb0f7a
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 3 deletions.
diff --git a/intelmq/bots/parsers/dataplane/parser.py b/intelmq/bots/parsers/dataplane/parser.py
@@ -143,7 +143,10 @@ def parse_line(self, line, report):
         else:
             event = self.new_event(report)
 
-            line_contents = line.split('|')
+            # As mentioned in the feed header: Each field is separated
+            # by a pipe symbol ('|') and at least two whitespace
+            # characters on either side.
+            line_contents = line.split('  |  ')
             feed_name = line_contents[-1].strip()
             file_format = FILE_FORMATS.get(feed_name) or FILE_FORMATS['_default']
 

diff --git a/intelmq/tests/bots/parsers/dataplane/sshpwauth.txt b/intelmq/tests/bots/parsers/dataplane/sshpwauth.txt
@@ -70,7 +70,8 @@
 #
 NA           |  NA                              |  170.239.104.183  |  2016-12-01 04:26:48  |  sshpwauth
 4134         |  CHINANET-BACKBONE No.31,Jin-ro  |   117.21.224.121  |  2016-12-06 02:35:38  |  sshpwauth
+1            |  TEST-AS company | With | pipe   |  1.2.3.4          |  2024-04-02 12:00:00  |  sshpwauth
 #
 # Statistics
-#        ASNs: 1
-#   Addresses: 2
+#        ASNs: 2
+#   Addresses: 3
diff --git a/intelmq/tests/bots/parsers/dataplane/test_parser.py b/intelmq/tests/bots/parsers/dataplane/test_parser.py
@@ -198,6 +198,21 @@
                    'time.source': '2016-12-06T02:35:38+00:00',
                    'protocol.application': 'ssh',
                    'classification.type': 'brute-force',
+                   },
+                  {'feed.url': 'https://dataplane.org/sshpwauth.txt',
+                   'feed.name': 'SSH Password Authentication',
+                   '__type': 'Event',
+                   'time.observation': '2016-12-07T06:27:26+00:00',
+                   'raw': 'MSAgICAgICAgICAgIHwgIFRFU1QtQVMgY29tcGFueSB8IFdpdGggfCBwaXBlICAgfCAgMS4yLjMuNCAgICAgICAgICB8ICAyMDI0LTA0LTAyIDEyOjAwOjAwICB8ICBzc2hwd2F1dGg=',
+                   'event_description.text': 'Address has been seen attempting to remotely login to a host using SSH password '
+                                             'authentication. The source report lists hosts that are highly suspicious and '
+                                             'are likely conducting malicious SSH password authentication attacks.',
+                   'source.asn': 1,
+                   'source.ip': '1.2.3.4',
+                   'source.as_name': 'TEST-AS',
+                   'time.source': '2024-04-02T12:00:00+00:00',
+                   'protocol.application': 'ssh',
+                   'classification.type': 'brute-force',
                    }]
 
 
@@ -228,6 +243,7 @@ def test_ssh_auth(self):
         self.run_bot()
         self.assertMessageEqual(0, SSH_AUTH_EVENT[0])
         self.assertMessageEqual(1, SSH_AUTH_EVENT[1])
+        self.assertMessageEqual(2, SSH_AUTH_EVENT[2])
 
 
 if __name__ == '__main__':  # pragma: no cover