Menu
▾
▴
sshguard-users
|
From: Eric W. B. <er...@vi...> - 2007-10-31 00:09:55
|
FreeBSD syslogd has an option to make it more verbose when writing logs.
I'm old and slow; so I find the option helpful. Unfortunately using
the option spoils sshguard's parser.
I took a stab a reworking attack_parser.y to deal with the extra text.
I'm out of depth with yacc; so instead of a working patch, I have a
feature request.
From syslogd(8)
-v Verbose logging. If specified once, the numeric facility
and priority are logged with each locally-written message.
If specified more than once, the names of the facility and
priority are logged with each locally-written message.
If you specify -vv here is an example:
Oct 28 09:34:23 <auth.info> 235 sshd[73761]: Invalid user administrator
from 210.188.220.65
Oct 28 09:34:30 <auth.info> 235 sshd[73763]: Invalid user administrator
from 210.188.220.65
This also demonstrates another parsing problem: my host is named
'235.dhcp.mydomain.tld'; so the host name appears in the log as '235'
which also causes a parsing failure.
My attempt to fix both problems:
*** attack_parser.y.orig Tue Oct 30 15:08:41 2007
--- attack_parser.y Tue Oct 30 15:36:13 2007
***************
*** 49,55 ****
*/
syslogent:
/* timestamp host name procname[pid]: logmsg */
! TIMESTAMP_SYSLOG host name procname '[' INTEGER ']' ':' logmsg NEWLINE
;
/* a multilog-generated log entry */
--- 49,55 ----
*/
syslogent:
/* timestamp host name procname[pid]: logmsg */
! TIMESTAMP_SYSLOG verbose host name procname '[' INTEGER ']' ':'
logmsg NEWLINE
;
/* a multilog-generated log entry */
***************
*** 60,65 ****
--- 60,66 ----
/* name of a host */
host name:
WORD
+ | INTEGER
| HOSTADDR { }
;
***************
*** 69,74 ****
--- 70,81 ----
| WORD '(' WORD ')'
;
+ /* optional facility and priority when 'verbose' logging is on */
+ verbose:
+ '<' WORD '.' WORD '>'
+ | ''
+ ;
+
/* the "payload" of a log entry: the oridinal message generated from
a process */
logmsg:
sshmsg { attackparser_service = SERVICES_SSH; }
***************
*** 145,149 ****
%%
void yyerror(char *msg) { /* do nothing */ }
-
-
--- 152,154 ----
Also note that when I use bison 2.3 to compile attack_parser.y, the
resultant attack_parser.h bears no resemblance to the attack_parser.h
file include in the distribution source. In fact gcc fails with a bunch
of function undefined errors. However, swapping in the include file as
provided in the distribution does allow it to build. It just still
won't parse my ssh log. [sigh]
Thanks for your time.
|
|
From: Mark F. <fe...@fr...> - 2014-05-27 16:35:55
|
Following up on an old mailing list entry I found: > FreeBSD syslogd has an option to make it more verbose when writing > logs. > I'm old and slow; so I find the option helpful. Unfortunately using > the option spoils sshguard's parser. This bug still exists. I'm currently the sshguard port maintainer on FreeBSD. Another developer started using sshguard, stumbled upon the same bug, and asked my assistance with figuring out why none of the bots scanning his hosts were getting blocked. I don't think it's that unusual to increase the verbosity of syslogd messages, especially if you're receiving syslog messages from remote machines or jails running on the same host. So I guess what I'm meaning to ask: was there any progress on this? Could the verbose log prefix be recognized instead of having the entry be completely discarded? It seems that the regex matching here is simply too strict... Thanks! |
|
From: Willem J. W. <wj...@di...> - 2014-05-27 17:31:43
|
There are more options to syslog in freebsd. Like logging facility:priority. That will also upset parsing. I did try and fix that, and send the diff to sshguard maintainer. But so far no result. Also did a different version with ipfw and fixed table. So one can use its own rules set and just block on table(50) any where one would like. If you want I can dig out the diffs --WjW Op 27 mei 2014 om 18:09 heeft Mark Felder <fe...@fr...> het volgende geschreven: > Following up on an old mailing list entry I found: > >> FreeBSD syslogd has an option to make it more verbose when writing >> logs. >> I'm old and slow; so I find the option helpful. Unfortunately using >> the option spoils sshguard's parser. > > This bug still exists. I'm currently the sshguard port maintainer on > FreeBSD. Another developer started using sshguard, stumbled upon the > same bug, and asked my assistance with figuring out why none of the bots > scanning his hosts were getting blocked. I don't think it's that unusual > to increase the verbosity of syslogd messages, especially if you're > receiving syslog messages from remote machines or jails running on the > same host. > > So I guess what I'm meaning to ask: was there any progress on this? > Could the verbose log prefix be recognized instead of having the entry > be completely discarded? It seems that the regex matching here is simply > too strict... > > > Thanks! > > ------------------------------------------------------------------------------ > The best possible search technologies are now affordable for all companies. > Download your FREE open source Enterprise Search Engine today! > Our experts will assist you in its installation for $59/mo, no commitment. > Test it for FREE on our Cloud platform anytime! > http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Mij <mi...@bi...> - 2007-10-31 21:13:45
|
hello Eric, please file this mail on the feature request tracker http://sourceforge.net/tracker/?group_id=188282 I'm not sure I will handle it, partly because I guess a marginal fraction of the users enables this syslogd option and it might not worth the effert. I will inspect the problem better this week end and provide a patch for you if it does not take too much time (specifically handling the variability of v's could be boring) bye On 31/ott/07, at 01:07, Eric W. Bates wrote: > FreeBSD syslogd has an option to make it more verbose when writing > logs. > I'm old and slow; so I find the option helpful. Unfortunately using > the option spoils sshguard's parser. > > I took a stab a reworking attack_parser.y to deal with the extra text. > I'm out of depth with yacc; so instead of a working patch, I have a > feature request. > > From syslogd(8) > > -v Verbose logging. If specified once, the numeric > facility > > and priority are logged with each locally-written > message. > If specified more than once, the names of the > facility and > priority are logged with each locally-written message. > > If you specify -vv here is an example: > > Oct 28 09:34:23 <auth.info> 235 sshd[73761]: Invalid user > administrator > from 210.188.220.65 > Oct 28 09:34:30 <auth.info> 235 sshd[73763]: Invalid user > administrator > from 210.188.220.65 > > This also demonstrates another parsing problem: my host is named > '235.dhcp.mydomain.tld'; so the host name appears in the log as '235' > which also causes a parsing failure. > > My attempt to fix both problems: > > *** attack_parser.y.orig Tue Oct 30 15:08:41 2007 > --- attack_parser.y Tue Oct 30 15:36:13 2007 > *************** > *** 49,55 **** > */ > syslogent: > /* timestamp host name procname[pid]: logmsg */ > ! TIMESTAMP_SYSLOG host name procname '[' INTEGER ']' ':' > logmsg NEWLINE > ; > > /* a multilog-generated log entry */ > --- 49,55 ---- > */ > syslogent: > /* timestamp host name procname[pid]: logmsg */ > ! TIMESTAMP_SYSLOG verbose host name procname '[' INTEGER ']' ':' > logmsg NEWLINE > ; > > /* a multilog-generated log entry */ > *************** > *** 60,65 **** > --- 60,66 ---- > /* name of a host */ > host name: > WORD > + | INTEGER > | HOSTADDR { } > ; > > *************** > *** 69,74 **** > --- 70,81 ---- > | WORD '(' WORD ')' > ; > > + /* optional facility and priority when 'verbose' logging is on */ > + verbose: > + '<' WORD '.' WORD '>' > + | '' > + ; > + > /* the "payload" of a log entry: the oridinal message generated > from > a process */ > logmsg: > sshmsg { attackparser_service = SERVICES_SSH; } > *************** > *** 145,149 **** > %% > > void yyerror(char *msg) { /* do nothing */ } > - > - > --- 152,154 ---- > > > Also note that when I use bison 2.3 to compile attack_parser.y, the > resultant attack_parser.h bears no resemblance to the attack_parser.h > file include in the distribution source. In fact gcc fails with a > bunch > of function undefined errors. However, swapping in the include > file as > provided in the distribution does allow it to build. It just still > won't parse my ssh log. [sigh] > > Thanks for your time. > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a > browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
Thanks for helping keep SourceForge clean.
X