Attachment #297807 for bug #397517

View | Details | Raw Unified | Return to bug 397517
Collapse All | Expand All

Lines 1-5 Link Here

(-)sshguard-1.5/src/sshguard_services.h.orig (-1 / +5 lines)
1	/*	1	/*
2	* Copyright (c) 2007,2008,2009,2010 Mij <mij@sshguard.net>	2	* Copyright (c) 2007,2008,2009,2010,2011 Mij <mij@sshguard.net>
		3	* Copyright (c) 2011 sutaburosu <steve@st4vs.net>
3	*	4	*
4	* Permission to use, copy, modify, and distribute this software for any	5	* Permission to use, copy, modify, and distribute this software for any
5	* purpose with or without fee is hereby granted, provided that the above	6	* purpose with or without fee is hereby granted, provided that the above
Lines 62-65 Link Here
62		63
63	/* vsftpd */	64	/* vsftpd */
64	#define SERVICES_VSFTPD 330	65	#define SERVICES_VSFTPD 330
		66
		67	/* Asterisk */
		68	#define SERVICES_ASTERISK 340
65	#endif	69	#endif

Lines 1-5 Link Here

(-)sshguard-1.5/src/parser/attack_scanner.l.orig (-1 / +30 lines)
1	/*	1	/*
2	* Copyright (c) 2007,2008,2009,2010 Mij <mij@sshguard.net>	2	* Copyright (c) 2007,2008,2009,2010,2011 Mij <mij@sshguard.net>
		3	* Copyright (c) 2011 sutaburosu <steve@st4vs.net>
3	*	4	*
4	* Permission to use, copy, modify, and distribute this software for any	5	* Permission to use, copy, modify, and distribute this software for any
5	* purpose with or without fee is hereby granted, provided that the above	6	* purpose with or without fee is hereby granted, provided that the above
Lines 69-74 Link Here
69	%s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied	70	%s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied
70	/* for FTP services */	71	/* for FTP services */
71	%s freebsdftpd_loginerr proftpd_loginerr pureftpd_loginerr vsftpd_loginerr	72	%s freebsdftpd_loginerr proftpd_loginerr pureftpd_loginerr vsftpd_loginerr
		73	/* for Asterisk */
		74	%s asterisk_regfail asterisk_md5fail
72		75
73		76
74	MONTH (Jan\|Feb\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep\|Oct\|Nov\|Dec)	77	MONTH (Jan\|Feb\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep\|Oct\|Nov\|Dec)
Lines 78-87 Link Here
78	WORD [a-zA-Z0-9][-_a-zA-Z0-9]+	81	WORD [a-zA-Z0-9][-_a-zA-Z0-9]+
79	NUMBER [1-9][0-9]*	82	NUMBER [1-9][0-9]*
80	HOSTADDR localhost\|([-a-zA-Z0-9]+\.)+[a-zA-Z]+	83	HOSTADDR localhost\|([-a-zA-Z0-9]+\.)+[a-zA-Z]+
		84	SOCKETADDR ({HOSTADDR}\|{IPV4}\|{IPV6}\|{IPV4MAPPED6}):[0-9]{1,5}
81		85
82	TIMESTAMP_SYSLOG {MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS}	86	TIMESTAMP_SYSLOG {MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS}
83	TIMESTAMP_TAI64 [0-9A-Fa-f]{24}	87	TIMESTAMP_TAI64 [0-9A-Fa-f]{24}
84	SOLARIS_MSGID_TAG "[ID "[0-9]+" "{WORD}"."{WORD}"]"	88	SOLARIS_MSGID_TAG "[ID "[0-9]+" "{WORD}"."{WORD}"]"
		89	TIMESTAMP_ASTERISK \[?({TIMESTAMP_SYSLOG}\|[0-9]{4}-[0-9]{2}-[0-9]{2}" "{HOUR}":"{MINPS}":"{MINPS})("."[0-9]+)?\]?
85		90
86	/* all words but "sshguard" provided that posix regex don't support negation nor intersection:	91	/* all words but "sshguard" provided that posix regex don't support negation nor intersection:
87	* 1) all words of 2 to 7 characters or 8-* chars	92	* 1) all words of 2 to 7 characters or 8-* chars
Lines 125-130 Link Here
125	/* metalog banner */	130	/* metalog banner */
126	{TIMESTAMP_SYSLOG}" ["{PROCESSNAME}"] " { return METALOG_BANNER; }	131	{TIMESTAMP_SYSLOG}" ["{PROCESSNAME}"] " { return METALOG_BANNER; }
127		132
		133	/* asterisk banner */
		134	({TIMESTAMP_ASTERISK}[ ]*)?"NOTICE["{NUMBER}\]:?[ ]+{WORD}".c:"([0-9]+" in "{WORD}:)?[ ]+ { return ASTERISK_BANNER; }
		135	({TIMESTAMP_ASTERISK}[ ]*)?"NOTICE["{NUMBER}"]: : :" { return ASTERISK_BANNER; }
128		136
129	/* SSH: invalid or rejected user (cross platform [generated by openssh]) */	137	/* SSH: invalid or rejected user (cross platform [generated by openssh]) */
130	"Invalid user ".+" from " { return SSH_INVALUSERPREF; }	138	"Invalid user ".+" from " { return SSH_INVALUSERPREF; }
Lines 196-201 Link Here
196	.+"FAIL LOGIN: Client \"" { BEGIN(vsftpd_loginerr); return VSFTPD_LOGINERR_PREF; }	204	.+"FAIL LOGIN: Client \"" { BEGIN(vsftpd_loginerr); return VSFTPD_LOGINERR_PREF; }
197	<vsftpd_loginerr>"\"" { BEGIN(INITIAL); return VSFTPD_LOGINERR_SUFF; }	205	<vsftpd_loginerr>"\"" { BEGIN(INITIAL); return VSFTPD_LOGINERR_SUFF; }
198		206
		207	/* Asterisk */
		208	"Registration from '".*"' failed for '" { BEGIN(asterisk_regfail); return ASTERISK_REGFAIL_PREF; }
		209	<asterisk_regfail>"' - Wrong password" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; }
		210	<asterisk_regfail>"' - No matching peer found" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; }
		211	<asterisk_regfail>"' - Username/auth name mismatch" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; }
		212	<asterisk_regfail>"' - Device does not match ACL" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; }
		213	<asterisk_regfail>"' - Peer is not supposed to register" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; }
		214	<asterisk_regfail>"' - ACL error (permit/deny)" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; }
		215	<asterisk_regfail>"' - Not a local domain" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; }
		216	<asterisk_regfail>"' - ".+ { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; }
		217	" failed to authenticate as '".*' { return ASTERISK_AUTHFAIL; }
		218	"Sending fake auth rejection ".+"(" { return ASTERISK_FAKEAUTHREJ; }
		219	"No registration for peer '".+"' (from " { return ASTERISK_NOREG; }
		220	"Host " { BEGIN(asterisk_md5fail); return ASTERISK_MD5FAIL_PREF; }
		221	<asterisk_md5fail>" failed MD5 authentication for '".*' { BEGIN(INITIAL); return ASTERISK_MD5FAIL_SUFF; }
		222
199	/ COMMON-USE TOKENS do not touch these /	223	/ COMMON-USE TOKENS do not touch these /
200	/* an IPv4 address */	224	/* an IPv4 address */
201	{IPV4} { yylval.str = yytext; return IPv4; }	225	{IPV4} { yylval.str = yytext; return IPv4; }
Lines 207-212 Link Here
207		231
208	/* an host address (PTR) */	232	/* an host address (PTR) */
209	{HOSTADDR} { yylval.str = yytext; return HOSTADDR; }	233	{HOSTADDR} { yylval.str = yytext; return HOSTADDR; }
		234	/* a host address including port number, which we must truncate */
		235	{SOCKETADDR} { *(strrchr(yytext, ':')) = 0; yylval.str = yytext; return HOSTADDR; }
210	{NUMBER} { yylval.num = (int)strtol(yytext, (char **)NULL, 10); return INTEGER; }	236	{NUMBER} { yylval.num = (int)strtol(yytext, (char **)NULL, 10); return INTEGER; }
211	/* syslog timestamp */	237	/* syslog timestamp */
212	/{MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS} { return TIMESTAMP_SYSLOG; }/	238	/{MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS} { return TIMESTAMP_SYSLOG; }/
Lines 216-221 Link Here
216	"@"{TIMESTAMP_TAI64} { return AT_TIMESTAMP_TAI64; }	242	"@"{TIMESTAMP_TAI64} { return AT_TIMESTAMP_TAI64; }
217	{TIMESTAMP_TAI64} { return TIMESTAMP_TAI64; }	243	{TIMESTAMP_TAI64} { return TIMESTAMP_TAI64; }
218		244
		245	/* Asterisk timestamp */
		246	{TIMESTAMP_ASTERISK} { return TIMESTAMP_ASTERISK; }
		247
219	/[^ :]+:[^ ]+ { return FACILITYPRIORITY; } /	248	/[^ :]+:[^ ]+ { return FACILITYPRIORITY; } /
220	{WORD} { yylval.str = yytext; return WORD; }	249	{WORD} { yylval.str = yytext; return WORD; }
221	[ \n\t]+ /* eat blanks */	250	[ \n\t]+ /* eat blanks */




%{

/*
 * Copyright (c) 2007,2008,2009,2010,2011 Mij <mij@sshguard.net>
 * Copyright (c) 2011 sutaburosu <steve@st4vs.net>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above

}

/* semantic values for tokens */
%token <str> IPv4 IPv6 HOSTADDR SOCKETADDR WORD
%token <num> INTEGER SYSLOG_BANNER_PID LAST_LINE_REPEATED_N_TIMES

/* flat tokens */
%token SYSLOG_BANNER TIMESTAMP_SYSLOG TIMESTAMP_TAI64 AT_TIMESTAMP_TAI64 METALOG_BANNER
%token TIMESTAMP_ASTERISK ASTERISK_BANNER
/* ssh */
%token SSH_INVALUSERPREF SSH_NOTALLOWEDPREF SSH_NOTALLOWEDSUFF
%token SSH_LOGINERR_PREF SSH_LOGINERR_SUFF SSH_LOGINERR_PAM

%token PUREFTPD_LOGINERR_PREF PUREFTPD_LOGINERR_SUFF
/* vsftpd */
%token VSFTPD_LOGINERR_PREF VSFTPD_LOGINERR_SUFF
/* Asterisk */
%token ASTERISK_REGFAIL_PREF ASTERISK_REGFAIL_SUFF
%token ASTERISK_AUTHFAIL ASTERISK_FAKEAUTHREJ
%token ASTERISK_NOREG ASTERISK_MD5FAIL_PREF ASTERISK_MD5FAIL_SUFF

/* msg_multiple returns the multiplicity degree of its recognized message */
%type <num> msg_multiple

    syslogent
    | multilogent
    | metalogent
    | asterisklogent
    | logmsg
    ;


    METALOG_BANNER logmsg
    ;

asterisklogent:
    ASTERISK_BANNER logmsg 
    | SYSLOG_BANNER ASTERISK_BANNER logmsg
    | SYSLOG_BANNER_PID ASTERISK_BANNER logmsg
    | METALOG_BANNER ASTERISK_BANNER logmsg
    ;

/* the "payload" of a log entry: the oridinal message generated from a process */
logmsg:
      /* individual messages */

    | proftpdmsg        {   parsed_attack.service = SERVICES_PROFTPD; }
    | pureftpdmsg       {   parsed_attack.service = SERVICES_PUREFTPD; }
    | vsftpdmsg         {   parsed_attack.service = SERVICES_VSFTPD; }
    | asteriskmsg       {   parsed_attack.service = SERVICES_ASTERISK; }
    ;

msg_multiple:

    VSFTPD_LOGINERR_PREF addr VSFTPD_LOGINERR_SUFF
    ;

/* attack rules for Asterisk */
asteriskmsg:
    asterisk_regfail
    | asterisk_authfail
    | asterisk_fakeauthrej
    | asterisk_noreg
    | asterisk_md5fail
    ;

asterisk_regfail:
    ASTERISK_REGFAIL_PREF addr ASTERISK_REGFAIL_SUFF
    ;

asterisk_authfail:
    addr ASTERISK_AUTHFAIL
    ;

asterisk_fakeauthrej:
    ASTERISK_FAKEAUTHREJ addr ')'
    ;

asterisk_noreg:
    ASTERISK_NOREG addr ')'
    ;

asterisk_md5fail:
    ASTERISK_MD5FAIL_PREF addr ASTERISK_MD5FAIL_SUFF
    ;
%%

static void yyerror(int source_id, const char *msg) { /* do nothing */ }

Return to bug 397517

Lines 1-7 Link Here

(-)sshguard-1.5/src/parser/attack_parser.y.orig (-2 / +45 lines)
1	%{	1	%{
2		2
3	/*	3	/*
4	* Copyright (c) 2007,2008,2009,2010 Mij <mij@sshguard.net>	4	* Copyright (c) 2007,2008,2009,2010,2011 Mij <mij@sshguard.net>
		5	* Copyright (c) 2011 sutaburosu <steve@st4vs.net>
5	*	6	*
6	* Permission to use, copy, modify, and distribute this software for any	7	* Permission to use, copy, modify, and distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above	8	* purpose with or without fee is hereby granted, provided that the above
Lines 81-91 Link Here
81	}	82	}
82		83
83	/* semantic values for tokens */	84	/* semantic values for tokens */
84	%token <str> IPv4 IPv6 HOSTADDR WORD	85	%token <str> IPv4 IPv6 HOSTADDR SOCKETADDR WORD
85	%token <num> INTEGER SYSLOG_BANNER_PID LAST_LINE_REPEATED_N_TIMES	86	%token <num> INTEGER SYSLOG_BANNER_PID LAST_LINE_REPEATED_N_TIMES
86		87
87	/* flat tokens */	88	/* flat tokens */
88	%token SYSLOG_BANNER TIMESTAMP_SYSLOG TIMESTAMP_TAI64 AT_TIMESTAMP_TAI64 METALOG_BANNER	89	%token SYSLOG_BANNER TIMESTAMP_SYSLOG TIMESTAMP_TAI64 AT_TIMESTAMP_TAI64 METALOG_BANNER
		90	%token TIMESTAMP_ASTERISK ASTERISK_BANNER
89	/* ssh */	91	/* ssh */
90	%token SSH_INVALUSERPREF SSH_NOTALLOWEDPREF SSH_NOTALLOWEDSUFF	92	%token SSH_INVALUSERPREF SSH_NOTALLOWEDPREF SSH_NOTALLOWEDSUFF
91	%token SSH_LOGINERR_PREF SSH_LOGINERR_SUFF SSH_LOGINERR_PAM	93	%token SSH_LOGINERR_PREF SSH_LOGINERR_SUFF SSH_LOGINERR_PAM
Lines 111-116 Link Here
111	%token PUREFTPD_LOGINERR_PREF PUREFTPD_LOGINERR_SUFF	113	%token PUREFTPD_LOGINERR_PREF PUREFTPD_LOGINERR_SUFF
112	/* vsftpd */	114	/* vsftpd */
113	%token VSFTPD_LOGINERR_PREF VSFTPD_LOGINERR_SUFF	115	%token VSFTPD_LOGINERR_PREF VSFTPD_LOGINERR_SUFF
		116	/* Asterisk */
		117	%token ASTERISK_REGFAIL_PREF ASTERISK_REGFAIL_SUFF
		118	%token ASTERISK_AUTHFAIL ASTERISK_FAKEAUTHREJ
		119	%token ASTERISK_NOREG ASTERISK_MD5FAIL_PREF ASTERISK_MD5FAIL_SUFF
114		120
115	/* msg_multiple returns the multiplicity degree of its recognized message */	121	/* msg_multiple returns the multiplicity degree of its recognized message */
116	%type <num> msg_multiple	122	%type <num> msg_multiple
Lines 122-127 Link Here
122	syslogent	128	syslogent
123	\| multilogent	129	\| multilogent
124	\| metalogent	130	\| metalogent
		131	\| asterisklogent
125	\| logmsg	132	\| logmsg
126	;	133	;
127		134
Lines 157-162 Link Here
157	METALOG_BANNER logmsg	164	METALOG_BANNER logmsg
158	;	165	;
159		166
		167	asterisklogent:
		168	ASTERISK_BANNER logmsg
		169	\| SYSLOG_BANNER ASTERISK_BANNER logmsg
		170	\| SYSLOG_BANNER_PID ASTERISK_BANNER logmsg
		171	\| METALOG_BANNER ASTERISK_BANNER logmsg
		172	;
		173
160	/* the "payload" of a log entry: the oridinal message generated from a process */	174	/* the "payload" of a log entry: the oridinal message generated from a process */
161	logmsg:	175	logmsg:
162	/* individual messages */	176	/* individual messages */
Lines 177-182 Link Here
177	\| proftpdmsg { parsed_attack.service = SERVICES_PROFTPD; }	191	\| proftpdmsg { parsed_attack.service = SERVICES_PROFTPD; }
178	\| pureftpdmsg { parsed_attack.service = SERVICES_PUREFTPD; }	192	\| pureftpdmsg { parsed_attack.service = SERVICES_PUREFTPD; }
179	\| vsftpdmsg { parsed_attack.service = SERVICES_VSFTPD; }	193	\| vsftpdmsg { parsed_attack.service = SERVICES_VSFTPD; }
		194	\| asteriskmsg { parsed_attack.service = SERVICES_ASTERISK; }
180	;	195	;
181		196
182	msg_multiple:	197	msg_multiple:
Lines 339-344 Link Here
339	VSFTPD_LOGINERR_PREF addr VSFTPD_LOGINERR_SUFF	354	VSFTPD_LOGINERR_PREF addr VSFTPD_LOGINERR_SUFF
340	;	355	;
341		356
		357	/* attack rules for Asterisk */
		358	asteriskmsg:
		359	asterisk_regfail
		360	\| asterisk_authfail
		361	\| asterisk_fakeauthrej
		362	\| asterisk_noreg
		363	\| asterisk_md5fail
		364	;
		365
		366	asterisk_regfail:
		367	ASTERISK_REGFAIL_PREF addr ASTERISK_REGFAIL_SUFF
		368	;
		369
		370	asterisk_authfail:
		371	addr ASTERISK_AUTHFAIL
		372	;
		373
		374	asterisk_fakeauthrej:
		375	ASTERISK_FAKEAUTHREJ addr ')'
		376	;
		377
		378	asterisk_noreg:
		379	ASTERISK_NOREG addr ')'
		380	;
		381
		382	asterisk_md5fail:
		383	ASTERISK_MD5FAIL_PREF addr ASTERISK_MD5FAIL_SUFF
		384	;
342	%%	385	%%
343		386
344	static void yyerror(int source_id, const char msg) { / do nothing */ }	387	static void yyerror(int source_id, const char msg) { / do nothing */ }