Re: [Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

diff --git a/src/parser/attack_parser.y b/src/parser/attack_parser.y
index 4a58dd2..af193fb 100644
--- a/src/parser/attack_parser.y
+++ b/src/parser/attack_parser.y
@@ -89,6 +89,7 @@ static struct {
 /* ssh */
 %token SSH_INVALUSERPREF SSH_NOTALLOWEDPREF SSH_NOTALLOWEDSUFF
 %token SSH_LOGINERR_PREF SSH_LOGINERR_SUFF SSH_LOGINERR_PAM
+%token SSH_VIA_SUFF
 %token SSH_REVERSEMAP_PREF SSH_REVERSEMAP_SUFF
 %token SSH_NOIDENTIFSTR SSH_BADPROTOCOLIDENTIF SSH_BADPROTOCOLIDENTIF_SUFF
 %token SSH_DISCONNECT_PREF SSH_PREAUTH_SUFF
@@ -278,6 +279,7 @@ ssh_illegaluser:
 ssh_authfail:
     SSH_LOGINERR_PREF addr SSH_LOGINERR_SUFF
     | SSH_LOGINERR_PAM addr
+    | SSH_LOGINERR_PAM addr SSH_VIA_SUFF
     ;
 
 ssh_reversemapping:

diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 5ecdcc8..3956c5d 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -146,6 +146,7 @@ HOSTADDR    localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+|{IPV4}|{IPV6}|{IPV4MAPPED6}
 
  /* wrong password for valid user @ FreeBSD, Debian */
 "error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user ")?.+" from "            { return SSH_LOGINERR_PAM; }
+"via ".*                                                        { BEGIN(INITIAL); return SSH_VIA_SUFF; }
 
  /* SSH: reverse mapping "possible break-in attempt!" */
 "reverse mapping checking getaddrinfo for "[^\[]*"["            { BEGIN(ssh_reversemap); return SSH_REVERSEMAP_PREF; }


Re: [Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures

Intelligently block brute-force attacks by aggregating system logs

Re: [Sshguard-users] OSX - sshguard 1.5 not picking up all attack signatures