From: Mail U. <tem...@go...> - 2011-01-26 16:03:15
|
When FreeBSD's syslogd runs with -v -v, the log changes from Jan 26 15:18:35 box sshd[57785]: error: PAM: authentication error for user from evil to Jan 26 15:18:35 <auth.err> box sshd[57785]: error: PAM: authentication error for user from evil The following patch fixes this problem: --- src/parser/attack_scanner.l.ORI 2011-01-26 16:23:43.000000000 +0100 +++ src/parser/attack_scanner.l 2011-01-26 16:24:01.000000000 +0100 @@ -99,12 +99,18 @@ */ /* handle entries with PID and without PID from processes other than sshguard */ +{TIMESTAMP_SYSLOG}[ ]+<[[:alnum:]]+\.[[:alnum:]]+>[ ]+({WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]:" { + /* extract PID */ + yylval.num = getsyslogpid(yytext, yyleng); + return SYSLOG_BANNER_PID; + } {TIMESTAMP_SYSLOG}[ ]+({WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]:" { /* extract PID */ yylval.num = getsyslogpid(yytext, yyleng); return SYSLOG_BANNER_PID; } +{TIMESTAMP_SYSLOG}[ ]+<[[:alnum:]]+\.[[:alnum:]]+>[ ]+({WORD}|{HOSTADDR})[ ]+{PROCESSNAME}":" { return SYSLOG_BANNER; } {TIMESTAMP_SYSLOG}[ ]+({WORD}|{HOSTADDR})[ ]+{PROCESSNAME}":" { return SYSLOG_BANNER; } /* metalog banner */ |