Hi All,
I have created a regular expression attack parser
addition/replacement for sshguard. It can be built to use either
POSIX regexps or PCREs.
(For PCRE builds you'll need either libpcreposix or libpcre,
depending upon whether you specify USE_PCRE or USE_NATIVE_PCRE,
respectively, along with their "-dev" packages.)
It can either be pretty-easily integrated directly into sshguard or,
as of sshguard-2.4.2, replace the stock parser w/o any changes to
sshguard's code.
But NOTE: The example regex config files do NOT contain all the
signatures the stock sshguards do, and contain a couple I added that
1.7.0 did not have.
It can be found here: https://jimsun.linxnet.com/atre_parser.html
Current state is pretty raw. There's no "configure" stuff. The only
thing it's been built and run upon are Linux boxen. There's no
installer. Docs are kind of hit-or-miss. In short: If you're not
code-savvy, this is probably not for you at this time.
I have it integrated directly into my running instances of
sshguard-1.7.0, as a follow-up check to the stock parsing engine, but
I haven't done anything with 2.4.2, yet.
That being said: "make" (with edits) *should* build a stand-alone
parser for you that can be dropped right in as a replacement for the
stock parser in 2.4.2. (At lease if you're using Linux.)
For the stand-alone replacement parser for 2.4.2, which is also the
test/debug utility, see the atre-parser_doc.txt file at
https://jimsun.linxnet.com/downloads/atre/atre-parser_doc.txt
As always, with this kind of stuff: Use at your own discretion and
risk.
Let me know what y'all think. Questions, comments, and suggestions
are welcome.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
|
