[Sshguard-users] Parser changes for FreeBSD

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

FreeBSD syslogd has an option to make it more verbose when writing logs. 
  I'm old and slow; so I find the option helpful.  Unfortunately using 
the  option spoils sshguard's parser.

I took a stab a reworking attack_parser.y to deal with the extra text. 
I'm out of depth with yacc; so instead of a working patch, I have a 
feature request.

 From syslogd(8)

      -v      Verbose logging.  If specified once, the numeric facility 

              and priority are logged with each locally-written message.
              If specified more than once, the names of the facility and
              priority are logged with each locally-written message.

If you specify -vv here is an example:

Oct 28 09:34:23 <auth.info> 235 sshd[73761]: Invalid user administrator 
from 210.188.220.65
Oct 28 09:34:30 <auth.info> 235 sshd[73763]: Invalid user administrator 
from 210.188.220.65

This also demonstrates another parsing problem: my host is named 
'235.dhcp.mydomain.tld'; so the host name appears in the log as '235' 
which also causes a parsing failure.

My attempt to fix both problems:

*** attack_parser.y.orig        Tue Oct 30 15:08:41 2007
--- attack_parser.y     Tue Oct 30 15:36:13 2007
***************
*** 49,55 ****
    */
   syslogent:
        /* timestamp host name procname[pid]: logmsg */
!     TIMESTAMP_SYSLOG host name procname '[' INTEGER ']' ':' logmsg NEWLINE
       ;

   /* a multilog-generated log entry */
--- 49,55 ----
    */
   syslogent:
        /* timestamp host name procname[pid]: logmsg */
!     TIMESTAMP_SYSLOG verbose host name procname '[' INTEGER ']' ':' 
logmsg NEWLINE
       ;

   /* a multilog-generated log entry */
***************
*** 60,65 ****
--- 60,66 ----
   /* name of a host */
   host name:
       WORD
+     | INTEGER
       | HOSTADDR          { }
       ;

***************
*** 69,74 ****
--- 70,81 ----
       | WORD '(' WORD ')'
       ;

+ /* optional facility and priority when 'verbose' logging is on */
+ verbose:
+     '<' WORD '.' WORD '>'
+     | ''
+     ;
+
   /* the "payload" of a log entry: the oridinal message generated from 
a process */
   logmsg:
       sshmsg          {   attackparser_service = SERVICES_SSH; }
***************
*** 145,149 ****
   %%

   void yyerror(char *msg) { /* do nothing */ }
-
-
--- 152,154 ----

Also note that when I use bison 2.3 to compile attack_parser.y, the 
resultant attack_parser.h bears no resemblance to the attack_parser.h 
file include in the distribution source. In fact gcc fails with a bunch 
of function undefined errors.  However, swapping in the include file as 
provided in the distribution does allow it to build.  It just still 
won't parse my ssh log. [sigh]

Thanks for your time.

[Sshguard-users] Parser changes for FreeBSD

Intelligently block brute-force attacks by aggregating system logs

[Sshguard-users] Parser changes for FreeBSD