Merge pull request ossec#974 from wazuh/fix-su-decoder

Fixed FTS fetching at su decoder

contrib/ossec-testing/tests/su.ini

@@ -18,8 +18,8 @@ alert = 5
 decoder = su
 
 
-[su: work]
+[su: work fts]
 log 1 pass = Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1
-rule = 5303
-alert = 3
+rule = 5305
+alert = 4
 decoder = su

etc/decoder.xml

@@ -496,22 +496,23 @@ Jan  8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
   <order>user</order>
 </decoder>
 
+<decoder name="su">
+  <prematch>^SU \S+ \S+ </prematch>
+  <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex>
+  <order>srcuser, dstuser</order>
+  <fts>name, srcuser, location</fts>
+</decoder>
+
 <decoder name="su-detail2">
   <parent>su</parent>
+  <prematch> </prematch>
   <regex>^BAD SU (\S+) to (\S+) on|</regex>
   <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex>
   <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex>
   <order>srcuser, dstuser</order>
   <fts>name, srcuser, location</fts>
 </decoder>
 
-<decoder name="su">
-  <prematch>^SU \S+ \S+ </prematch>
-  <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex>
-  <order>srcuser, dstuser</order>
-  <fts>name, srcuser, location</fts>
-</decoder>
-
 
 
 <!-- ProFTPD decoder.