Enable matching of syslog entries with <facility.level>

PR: 197854
svn path=/head/; revision=382063
2025-01-17 08:01:36 +00:00 · 2015-03-24 02:11:26 +00:00 · 2015-03-24 02:11:26 +00:00 · e5ca81a883 · 2021-03-31 03:12:20 +00:00
commit e5ca81a883
parent 158a98a20b
3 changed files with 25 additions and 21 deletions
--- a/security/sshguard/Makefile
+++ b/security/sshguard/Makefile
@ -3,7 +3,7 @@

 PORTNAME=	sshguard
 PORTVERSION=	1.5
-PORTREVISION=	10
+PORTREVISION=	11
 CATEGORIES=	security
 MASTER_SITES=	SF/sshguard/sshguard/sshguard-${PORTVERSION}

--- a/security/sshguard/files/patch-src-parser-attack_scanner.l
+++ b/security/sshguard/files/patch-src-parser-attack_scanner.l
@ -1,20 +1,26 @@
--- src/parser/attack_scanner.l.orig	2011-02-09 12:01:47 UTC
+--- src/parser/attack_scanner.l.orig	2015-03-24 02:08:55 UTC
 +++ src/parser/attack_scanner.l
-@@ -127,7 +127,7 @@ IPV4MAPPED6 ((:(:0{1,4}){0,4}|0{1,4}:(:0
+@@ -78,6 +78,7 @@ MINPS       [0-5][0-9]
+ WORD        [a-zA-Z0-9][-_a-zA-Z0-9]+
+ NUMBER      [1-9][0-9]*
+ HOSTADDR    localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+
+FACLEVEL    (<[a-zA-Z0-9]+\.[a-zA-Z0-9]+>)
 
+ TIMESTAMP_SYSLOG    {MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS}
+ TIMESTAMP_TAI64     [0-9A-Fa-f]{24}
+@@ -107,13 +108,13 @@ IPV4MAPPED6 ((:(:0{1,4}){0,4}|0{1,4}:(:0
+   */
 
-  /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
-"Invalid user ".+" from "                         { return SSH_INVALUSERPREF; }
-+[Ii]"nvalid user ".+" from "                         { return SSH_INVALUSERPREF; }
-  /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
-  /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
- "User ".+" from "                                               { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }
-@@ -175,7 +175,7 @@ IPV4MAPPED6 ((:(:0{1,4}){0,4}|0{1,4}:(:0
+  /* handle entries with PID and without PID from processes other than sshguard */
+-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
+{TIMESTAMP_SYSLOG}[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
+         /* extract PID */
+         yylval.num = getsyslogpid(yytext, yyleng);
+         return SYSLOG_BANNER_PID;
+         }
 
-  /* cyrus-imap login error */
- "badlogin: "[^\[]*"["                                           { BEGIN(cyrusimap_loginerr); return CYRUSIMAP_SASL_LOGINERR_PREF; }
-<cyrusimap_loginerr>"] ".*"SASL".*"checkpass failed"            { BEGIN(INITIAL); return CYRUSIMAP_SASL_LOGINERR_SUFF; }
-+<cyrusimap_loginerr>"] ".*"SASL".*"failed".?$                   { BEGIN(INITIAL); return CYRUSIMAP_SASL_LOGINERR_SUFF; }
+-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+({PROCESSNAME}":")?   { return SYSLOG_BANNER; }
+{TIMESTAMP_SYSLOG}[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+({PROCESSNAME}":")?   { return SYSLOG_BANNER; }
 
-  /* FreeBSD's ftpd login errors */
- "FTP LOGIN FAILED FROM "                                        { BEGIN(freebsdftpd_loginerr); return FREEBSDFTPD_LOGINERR_PREF; }
+  /* syslog style  "last message repeated N times" */
+ "last message repeated "([1-9][0-9]*)" times"                   {
--- a/security/sshguard/files/patch-src-sshguard.c
+++ b/security/sshguard/files/patch-src-sshguard.c
@ -1,6 +1,6 @@
--- src/sshguard.c.orig	2010-08-09 08:44:15.000000000 +0200
-+++ src/sshguard.c	2011-03-28 11:42:42.000000000 +0200
-@@ -566,9 +566,13 @@
+--- src/sshguard.c.orig	2011-02-09 12:01:47 UTC
+++ src/sshguard.c
+@@ -567,9 +567,13 @@ static void process_blacklisted_addresse
         /* terminate array list */
         addresses[i] = NULL;
         /* do block addresses of this kind */
@ -17,5 +17,3 @@
     }
     /* free temporary arrays */
     free(addresses);
-
-