From 811bdfcd0f0d350217d1fd7f5ea2ac953c267590 Mon Sep 17 00:00:00 2001 From: ddpbsd Date: Fri, 22 May 2020 14:24:34 -0400 Subject: [PATCH] The pcre for the second instances of Account Name and Account Domain were grabbing too much. So modify them to only grab the username and domain name. --- etc/decoder.xml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/etc/decoder.xml b/etc/decoder.xml index 7c5fab4e3..d2bd8e051 100644 --- a/etc/decoder.xml +++ b/etc/decoder.xml @@ -2022,18 +2022,17 @@ Jan 8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke windows windows - Account Name:[ ]+?([A-Za-z0-9@_-]+?.+)[ ]+?Account + Account Name:[ ]+?([A-Za-z0-9@_-]+?)[ ]+?Account user windows windows - Account Domain:[ ][ ]+?([A-Za-z0-9@_-].+)[ ][ ]+?Logon ID: + Account Domain:[ ]+?([A-Za-z0-9@_-]+?)[ ]+?Logon ID: extra_data -