[SSHGuard-maintainers] A Regular Expression Attack Parser Addition/Replacement For SSHGuard

[Jim S. <jseymour@LinxNet.com>]

Hi All,

I have created a regular expression attack parser
addition/replacement for sshguard.  It can be built to use either
POSIX regexps or PCREs.

(For PCRE builds you'll need either libpcreposix or libpcre,
depending upon whether you specify USE_PCRE or USE_NATIVE_PCRE,
respectively, along with their "-dev" packages.)

It can either be pretty-easily integrated directly into sshguard or,
as of sshguard-2.4.2, replace the stock parser w/o any changes to
sshguard's code.

But NOTE: The example regex config files do NOT contain all the
signatures the stock sshguards do, and contain a couple I added that
1.7.0 did not have.

It can be found here: https://jimsun.linxnet.com/atre_parser.html

Current state is pretty raw.  There's no "configure" stuff.  The only
thing it's been built and run upon are Linux boxen.  There's no
installer.  Docs are kind of hit-or-miss.  In short: If you're not
code-savvy, this is probably not for you at this time.

I have it integrated directly into my running instances of
sshguard-1.7.0, as a follow-up check to the stock parsing engine, but
I haven't done anything with 2.4.2, yet.

That being said: "make" (with edits) *should* build a stand-alone
parser for you that can be dropped right in as a replacement for the
stock parser in 2.4.2.  (At lease if you're using Linux.)

For the stand-alone replacement parser for 2.4.2, which is also the
test/debug utility, see the atre-parser_doc.txt file at
https://jimsun.linxnet.com/downloads/atre/atre-parser_doc.txt

As always, with this kind of stuff: Use at your own discretion and
risk.

Let me know what y'all think.  Questions, comments, and suggestions
are welcome.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.