Menu
▾
▴
[Sshguard-users] problems with Log Sucker in sshguard 1.5rc4
|
From: <op...@ni...> - 2010-08-10 22:39:24
|
Hello,
Having found out that 1.4.4 does not support vsftpd I quickly compiled
1.5 rc4 for my system. While syslog-ng log parsing works like a charm,
I have problems with the Log Sucker.
I started sshguard in debug mode:
env SSHGUARD_DEBUG=foo sshguard -l /var/log/auth.log
Then I made some bogus ftp and ssh connections from another machine:
Read line from '/var/log/auth.log'.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("Aug 10 23:57:37
charlie vsftpd[1]: ")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 220 ("pam_unix")
Next token is token WORD ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0
Read line from '/var/log/auth.log'.
Starting parse
Entering state 0
Reading a token: --accepting rule at line 110 ("Aug 10 23:59:42
charlie sshd[5509]: ")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 220 ("pam_unix")
Next token is token WORD ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token WORD ()
Stack now 0
It looks like the log entry is truncated. I am using syslog-ng 3.1.1.
If I start sshguard without -l and feed it the line then it works
properly:
Aug 10 23:57:39 charlie vsftpd[1]: [fijam] FAIL LOGIN: Client "192.168.1.11"
Starting parse
Entering state 0
Reading a token: --accepting rule at line 196 ("Aug 10 23:57:39
charlie vsftpd[1]: [fijam] FAIL LOGIN: Client "")
Next token is token VSFTPD_LOGINERR_PREF ()
Shifting token VSFTPD_LOGINERR_PREF ()
Entering state 22
Reading a token: --accepting rule at line 201 ("192.168.1.11")
Next token is token IPv4 ()
Shifting token IPv4 ()
Entering state 50
Reducing stack by rule 23 (line 203):
$1 = token IPv4 ()
-> $$ = nterm addr ()
Stack now 0 22
Entering state 69
Reading a token: --accepting rule at line 197 (""")
Next token is token VSFTPD_LOGINERR_SUFF ()
Shifting token VSFTPD_LOGINERR_SUFF ()
Entering state 82
Reducing stack by rule 47 (line 339):
$1 = token VSFTPD_LOGINERR_PREF ()
$2 = nterm addr ()
$3 = token VSFTPD_LOGINERR_SUFF ()
-> $$ = nterm vsftpdmsg ()
Stack now 0
Entering state 45
Reducing stack by rule 21 (line 179):
$1 = nterm vsftpdmsg ()
-> $$ = nterm msg_single ()
Stack now 0
Entering state 28
Reducing stack by rule 9 (line 163):
$1 = nterm msg_single ()
-> $$ = nterm logmsg ()
Stack now 0
Entering state 27
Reducing stack by rule 4 (line 125):
$1 = nterm logmsg ()
-> $$ = nterm text ()
Stack now 0
Entering state 23
Reading a token: --(end of buffer or a NUL)
--accepting rule at line 221 ("
")
--(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Stack now 0 23
Cleanup: popping nterm text ()
Matched address 192.168.1.11:4 attacking service 330, dangerousness 10.
Purging stale attackers.
If you require any more info please let me know.
Regards,
J.
|
