Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Mar 2015 02:11:26 +0000 (UTC)
From:      Mark Felder <feld@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r382063 - in head/security/sshguard: . files
Message-ID:  <201503240211.t2O2BQLW051387@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: feld
Date: Tue Mar 24 02:11:26 2015
New Revision: 382063
URL: https://svnweb.freebsd.org/changeset/ports/382063
QAT: https://qat.redports.org/buildarchive/r382063/

Log:
  Enable matching of syslog entries with <facility.level>
  
  PR:		197854

Modified:
  head/security/sshguard/Makefile
  head/security/sshguard/files/patch-src-parser-attack_scanner.l
  head/security/sshguard/files/patch-src-sshguard.c

Modified: head/security/sshguard/Makefile
==============================================================================
--- head/security/sshguard/Makefile	Tue Mar 24 02:05:47 2015	(r382062)
+++ head/security/sshguard/Makefile	Tue Mar 24 02:11:26 2015	(r382063)
@@ -3,7 +3,7 @@
 
 PORTNAME=	sshguard
 PORTVERSION=	1.5
-PORTREVISION=	10
+PORTREVISION=	11
 CATEGORIES=	security
 MASTER_SITES=	SF/sshguard/sshguard/sshguard-${PORTVERSION}
 

Modified: head/security/sshguard/files/patch-src-parser-attack_scanner.l
==============================================================================
--- head/security/sshguard/files/patch-src-parser-attack_scanner.l	Tue Mar 24 02:05:47 2015	(r382062)
+++ head/security/sshguard/files/patch-src-parser-attack_scanner.l	Tue Mar 24 02:11:26 2015	(r382063)
@@ -1,20 +1,26 @@
---- src/parser/attack_scanner.l.orig	2011-02-09 12:01:47 UTC
+--- src/parser/attack_scanner.l.orig	2015-03-24 02:08:55 UTC
 +++ src/parser/attack_scanner.l
-@@ -127,7 +127,7 @@ IPV4MAPPED6 ((:(:0{1,4}){0,4}|0{1,4}:(:0
+@@ -78,6 +78,7 @@ MINPS       [0-5][0-9]
+ WORD        [a-zA-Z0-9][-_a-zA-Z0-9]+
+ NUMBER      [1-9][0-9]*
+ HOSTADDR    localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+
++FACLEVEL    (<[a-zA-Z0-9]+\.[a-zA-Z0-9]+>)
  
+ TIMESTAMP_SYSLOG    {MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS}
+ TIMESTAMP_TAI64     [0-9A-Fa-f]{24}
+@@ -107,13 +108,13 @@ IPV4MAPPED6 ((:(:0{1,4}){0,4}|0{1,4}:(:0
+   */
  
-  /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
--"Invalid user ".+" from "                         { return SSH_INVALUSERPREF; }
-+[Ii]"nvalid user ".+" from "                         { return SSH_INVALUSERPREF; }
-  /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
-  /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
- "User ".+" from "                                               { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }
-@@ -175,7 +175,7 @@ IPV4MAPPED6 ((:(:0{1,4}){0,4}|0{1,4}:(:0
+  /* handle entries with PID and without PID from processes other than sshguard */
+-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
++{TIMESTAMP_SYSLOG}[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
+         /* extract PID */
+         yylval.num = getsyslogpid(yytext, yyleng);
+         return SYSLOG_BANNER_PID;
+         }
  
-  /* cyrus-imap login error */
- "badlogin: "[^\[]*"["                                           { BEGIN(cyrusimap_loginerr); return CYRUSIMAP_SASL_LOGINERR_PREF; }
--<cyrusimap_loginerr>"] ".*"SASL".*"checkpass failed"            { BEGIN(INITIAL); return CYRUSIMAP_SASL_LOGINERR_SUFF; }
-+<cyrusimap_loginerr>"] ".*"SASL".*"failed".?$                   { BEGIN(INITIAL); return CYRUSIMAP_SASL_LOGINERR_SUFF; }
+-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+({PROCESSNAME}":")?   { return SYSLOG_BANNER; }
++{TIMESTAMP_SYSLOG}[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+({PROCESSNAME}":")?   { return SYSLOG_BANNER; }
  
-  /* FreeBSD's ftpd login errors */
- "FTP LOGIN FAILED FROM "                                        { BEGIN(freebsdftpd_loginerr); return FREEBSDFTPD_LOGINERR_PREF; }
+  /* syslog style  "last message repeated N times" */
+ "last message repeated "([1-9][0-9]*)" times"                   {

Modified: head/security/sshguard/files/patch-src-sshguard.c
==============================================================================
--- head/security/sshguard/files/patch-src-sshguard.c	Tue Mar 24 02:05:47 2015	(r382062)
+++ head/security/sshguard/files/patch-src-sshguard.c	Tue Mar 24 02:11:26 2015	(r382063)
@@ -1,6 +1,6 @@
---- src/sshguard.c.orig	2010-08-09 08:44:15.000000000 +0200
-+++ src/sshguard.c	2011-03-28 11:42:42.000000000 +0200
-@@ -566,9 +566,13 @@
+--- src/sshguard.c.orig	2011-02-09 12:01:47 UTC
++++ src/sshguard.c
+@@ -567,9 +567,13 @@ static void process_blacklisted_addresse
          /* terminate array list */
          addresses[i] = NULL;
          /* do block addresses of this kind */
@@ -17,5 +17,3 @@
      }
      /* free temporary arrays */
      free(addresses);
-
-



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201503240211.t2O2BQLW051387>