[SSHGuard-users] Fix For Catching Postfix "submission" Log Entry Parsing?

[Jim S. <jse...@Li...>]

Hi,

I use postfix with the optional

    -o syslog_name=postfix/submission

option in its main.cf configuration.  This causes log lines to look
like (partial):

    ... postfix/submission/smtpd[24257]: warning:
    unknown[185.110.132.134]: SASL LOGIN authentication failed: ...

rather than simply "...postfix/smtpd[24257]...

sshguard's parser fails to catch these.

This can be "fixed" by removing that option from postfix' config, but
then you lose logging detail.

My lex/yacc fu is no longer very good, but I do know my way around
REs. I believe this can be fixed in sshguard by changing each
occurence of the following, in src/parser/attack_scanner.l, from

    {PROCESSNAME}("/"{PROCESSNAME})?

to either

    {PROCESSNAME}("/"{PROCESSNAME})*

or, probably better,

    {PROCESSNAME}("/"{PROCESSNAME}){0,2}

This does cause it to catch the missed log entries.  But, without
thorough analysis of the remainder of the parsing code, I don't know,
for sure, that it won't induce other regression errors.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.