Merge pull request ossec#1874 from ddpbsd/win_decoder_pcre

pcre2 fix for windows1 decoders
atomicturtle · Aug 9, 2023 · c8a36b0 · c8a36b0
2 parents 0e70ff3 + 811bdfc
commit c8a36b0
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/etc/decoder.xml b/etc/decoder.xml
@@ -2030,18 +2030,17 @@ Jan  8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
 <decoder name="windows1">
   <type>windows</type>
   <parent>windows</parent>
-  <pcre2> Account Name:[ ]+?([A-Za-z0-9@_-]+?.+)[ ]+?Account</pcre2>
+  <pcre2> Account Name:[ ]+?([A-Za-z0-9@_-]+?)[ ]+?Account</pcre2>
   <order>user</order>
 </decoder>
 
 <decoder name="windows1">
   <type>windows</type>
   <parent>windows</parent>
-  <pcre2>Account Domain:[ ][ ]+?([A-Za-z0-9@_-].+)[ ][ ]+?Logon ID:</pcre2>
+  <pcre2>Account Domain:[ ]+?([A-Za-z0-9@_-]+?)[ ]+?Logon ID:</pcre2>
   <order>extra_data</order>
 </decoder>
 
-
 <!-- Windows decoder -NTsyslog format
   - Will extract extra_data (as win source),action (as win category), id,
   - username and computer name (as url).