Menu
▾
▴
Re: [Sshguard-users] confused about what to expect
|
From: Kevin Z. <kev...@gm...> - 2016-01-21 22:24:39
|
On 01/21/2016 14:15, Emmanuel wrote: > i am running 1.6.0 1.6.3 recognizes most of your log messages as attacks. I haven't tested 1.6.0; you should consider upgrading to 1.6.3. > I am trying to understand what sshguard does under the hood. Briefly, a lexer splits up each line into tokens (like TIMESTAMP_SYSLOG). A parser looks at each token and processes it if the tokens match a known attack pattern. You can try using sed to get rid of everything but the log message, i.e. the "Failed password for root from 183.3.202.107 port 15012 ssh2". If it still doesn't recognize the attack, it's probably because 1.6.0 doesn't have that particular attack yet. > what do you mean by not recognizing the syslog prefix? > I can sed or transform the stream if I have to to make it work, I just > want to understand what format is expected and what make break it. > I'm not big in to C, so I'd rather not dig into the code. > is there some doc somewhere about this? The lexer/parser is ugly even if you know C. Something is being done about this, but I'm not sure how long it'll take. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
