From 2e9b9ab987992a96cf28a78b7e3866fa764532ef Mon Sep 17 00:00:00 2001
From: Kelly Brazil <kellyjonbrazil@gmail.com>
Date: Tue, 16 Aug 2022 15:10:00 -0700
Subject: [PATCH] tighten up priority parsing

---
 jc/parsers/syslog_bsd.py                | 2 +-
 tests/fixtures/generic/syslog-3164.json | 2 +-
 tests/fixtures/generic/syslog-3164.out  | 1 +
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/jc/parsers/syslog_bsd.py b/jc/parsers/syslog_bsd.py
index 331fdb57..03468738 100644
--- a/jc/parsers/syslog_bsd.py
+++ b/jc/parsers/syslog_bsd.py
@@ -117,7 +117,7 @@ def parse(
 
     # inspired by https://gist.github.com/miticojo/b16bb13e78572c2d2fac82d9516d5c32
     syslog = re.compile(r'''
-        (?P<priority><\d*>)?
+        (?P<priority><\d{1,3}>)?
         (?P<date>[A-Z][a-z][a-z]\s{1,2}\d{1,2}\s\d{2}?:\d{2}:\d{2})?\s
         (?P<host>[\w][\w\d\.:@-]*)?\s
         (?P<msg>
diff --git a/tests/fixtures/generic/syslog-3164.json b/tests/fixtures/generic/syslog-3164.json
index 4e803011..093a62ee 100644
--- a/tests/fixtures/generic/syslog-3164.json
+++ b/tests/fixtures/generic/syslog-3164.json
@@ -1 +1 @@
-[{"priority":34,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":null,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":35,"date":"Oct 12 22:14:15","hostname":"client_machine","tag":"su","content":"'su root' failed for joe on /dev/pts/2"},{"priority":35,"date":"Mar  7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar  7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":5,"date":"Mar  7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar  7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar  7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar  7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":null,"date":"Mar  7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar  7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar  7 11:14:35","hostname":"avas","tag":"dccd","content":"[13284]: 21 requests/sec are too many from anonymous 205.201.1.56,2246"},{"priority":null,"date":"Mar  8 00:22:57","hostname":"avas","tag":"dccifd","content":"[9933]: write(MTA socket,4): Broken pipe"},{"priority":null,"date":"Mar  7 21:23:22","hostname":"avas","tag":"dccifd","content":"[6191]: missing message body"},{"priority":null,"date":"Mar  9 16:05:17","hostname":"avas","tag":"named","content":"[12045]: zone PLNet/IN: refresh: non-authoritative answer from master 10.0.0.253#53"},{"priority":null,"date":"Mar 10 00:38:16","hostname":"avas","tag":"dccifd","content":"[23069]: continue not asking DCC 17 seconds after failure"},{"priority":null,"date":"Mar 10 09:42:11","hostname":"avas","tag":"named","content":"client 127.0.0.1#55524: query: 23.68.27.142.sa-trusted.bondedsender.org IN TXT"},{"priority":null,"date":"Mar  9 03:48:07","hostname":"avas","tag":"dccd","content":"[145]: automatic dbclean; starting `dbclean -DPq -i 1189 -L info,local5.notice -L error,local5.err`"},{"priority":null,"date":"Mar  9 11:58:18","hostname":"avas","tag":"kernel","content":"i810_audio: Connection 0 with codec id 2"},{"priority":null,"date":"Mar  9 19:41:13","hostname":"avas","tag":"dccd","content":"[3004]: \"packet length 44 too small for REPORT\" sent to client 1 at 194.63.250.215,47577"},{"priority":null,"date":"Mar  8 09:01:07","hostname":"avas","tag":"sshd","content":"(pam_unix)[21839]: session opened for user tom by (uid=35567)"},{"priority":null,"date":"Mar  8 03:52:04","hostname":"avas","tag":"dccd","content":"[13284]: 1.2.32 database /home/dcc/dcc_db reopened with 997 MByte window"},{"priority":null,"date":"Mar  8 16:05:26","hostname":"avas","tag":"arpwatch","content":"listening on eth0"},{"priority":null,"date":"Mar 10 10:00:06","hostname":"avas","tag":"named","content":"[6986]: zone PLNet/IN: refresh: non-authoritative answer from master 192.75.26.21#53"},{"priority":null,"date":"Mar 10 10:00:10","hostname":"avas","tag":"named","content":"[6986]: client 127.0.0.1#55867: query: mail.canfor.ca IN MX"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"avas","tag":null,"content":"last message repeated 11 times"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"127:0:ab::1","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"192.168.1.1","tag":"sshd","content":"unauthorized request"},{"priority":35,"date":"Mar  8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"unparsable":"<7>unparsable line"}]
+[{"priority":34,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"unparsable":"<3444>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8"},{"priority":null,"date":"Oct 11 22:14:15","hostname":"mymachine","tag":"su","content":"'su root' failed for lonvick on /dev/pts/8"},{"priority":35,"date":"Oct 12 22:14:15","hostname":"client_machine","tag":"su","content":"'su root' failed for joe on /dev/pts/2"},{"priority":35,"date":"Mar  7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar  7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":5,"date":"Mar  7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar  7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar  7 04:02:16","hostname":"avas","tag":"clamd","content":"[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND"},{"priority":null,"date":"Mar  7 04:05:55","hostname":"avas","tag":"clamd","content":"[11240]: /var/amavis/amavis-20040307T035901-10615/parts/part-00002: Worm.SomeFool.Gen-1 FOUND"},{"priority":null,"date":"Mar  7 09:00:51","hostname":"avas","tag":"clamd","content":"[27173]: SelfCheck: Database status OK."},{"priority":null,"date":"Mar  7 05:59:02","hostname":"avas","tag":"clamd","content":"[27173]: Database correctly reloaded (20400 viruses)"},{"priority":null,"date":"Mar  7 11:14:35","hostname":"avas","tag":"dccd","content":"[13284]: 21 requests/sec are too many from anonymous 205.201.1.56,2246"},{"priority":null,"date":"Mar  8 00:22:57","hostname":"avas","tag":"dccifd","content":"[9933]: write(MTA socket,4): Broken pipe"},{"priority":null,"date":"Mar  7 21:23:22","hostname":"avas","tag":"dccifd","content":"[6191]: missing message body"},{"priority":null,"date":"Mar  9 16:05:17","hostname":"avas","tag":"named","content":"[12045]: zone PLNet/IN: refresh: non-authoritative answer from master 10.0.0.253#53"},{"priority":null,"date":"Mar 10 00:38:16","hostname":"avas","tag":"dccifd","content":"[23069]: continue not asking DCC 17 seconds after failure"},{"priority":null,"date":"Mar 10 09:42:11","hostname":"avas","tag":"named","content":"client 127.0.0.1#55524: query: 23.68.27.142.sa-trusted.bondedsender.org IN TXT"},{"priority":null,"date":"Mar  9 03:48:07","hostname":"avas","tag":"dccd","content":"[145]: automatic dbclean; starting `dbclean -DPq -i 1189 -L info,local5.notice -L error,local5.err`"},{"priority":null,"date":"Mar  9 11:58:18","hostname":"avas","tag":"kernel","content":"i810_audio: Connection 0 with codec id 2"},{"priority":null,"date":"Mar  9 19:41:13","hostname":"avas","tag":"dccd","content":"[3004]: \"packet length 44 too small for REPORT\" sent to client 1 at 194.63.250.215,47577"},{"priority":null,"date":"Mar  8 09:01:07","hostname":"avas","tag":"sshd","content":"(pam_unix)[21839]: session opened for user tom by (uid=35567)"},{"priority":null,"date":"Mar  8 03:52:04","hostname":"avas","tag":"dccd","content":"[13284]: 1.2.32 database /home/dcc/dcc_db reopened with 997 MByte window"},{"priority":null,"date":"Mar  8 16:05:26","hostname":"avas","tag":"arpwatch","content":"listening on eth0"},{"priority":null,"date":"Mar 10 10:00:06","hostname":"avas","tag":"named","content":"[6986]: zone PLNet/IN: refresh: non-authoritative answer from master 192.75.26.21#53"},{"priority":null,"date":"Mar 10 10:00:10","hostname":"avas","tag":"named","content":"[6986]: client 127.0.0.1#55867: query: mail.canfor.ca IN MX"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"avas","tag":null,"content":"last message repeated 11 times"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"127:0:ab::1","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"priority":null,"date":"Mar  8 15:18:40","hostname":"192.168.1.1","tag":"sshd","content":"unauthorized request"},{"priority":35,"date":"Mar  8 15:18:40","hostname":"server.example.com","tag":"sshd","content":"unauthorized request"},{"unparsable":"<7>unparsable line"}]
diff --git a/tests/fixtures/generic/syslog-3164.out b/tests/fixtures/generic/syslog-3164.out
index d14de487..bc1170a2 100644
--- a/tests/fixtures/generic/syslog-3164.out
+++ b/tests/fixtures/generic/syslog-3164.out
@@ -1,4 +1,5 @@
 <34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
+<3444>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
 Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
 <35>Oct 12 22:14:15 client_machine su: 'su root' failed for joe on /dev/pts/2
 <35>Mar  7 04:02:16 avas clamd[11165]: /var/amavis/amavis-20040307T033734-10329/parts/part-00003: Worm.Mydoom.F FOUND