Lines 1-5
Link Here
|
1 |
/* |
1 |
/* |
2 |
* Copyright (c) 2007,2008,2009,2010 Mij <mij@sshguard.net> |
2 |
* Copyright (c) 2007,2008,2009,2010,2011 Mij <mij@sshguard.net> |
|
|
3 |
* Copyright (c) 2011 sutaburosu <steve@st4vs.net> |
3 |
* |
4 |
* |
4 |
* Permission to use, copy, modify, and distribute this software for any |
5 |
* Permission to use, copy, modify, and distribute this software for any |
5 |
* purpose with or without fee is hereby granted, provided that the above |
6 |
* purpose with or without fee is hereby granted, provided that the above |
Lines 69-74
Link Here
|
69 |
%s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied |
70 |
%s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied |
70 |
/* for FTP services */ |
71 |
/* for FTP services */ |
71 |
%s freebsdftpd_loginerr proftpd_loginerr pureftpd_loginerr vsftpd_loginerr |
72 |
%s freebsdftpd_loginerr proftpd_loginerr pureftpd_loginerr vsftpd_loginerr |
|
|
73 |
/* for Asterisk */ |
74 |
%s asterisk_regfail asterisk_md5fail |
72 |
|
75 |
|
73 |
|
76 |
|
74 |
MONTH (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) |
77 |
MONTH (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) |
Lines 78-87
Link Here
|
78 |
WORD [a-zA-Z0-9][-_a-zA-Z0-9]+ |
81 |
WORD [a-zA-Z0-9][-_a-zA-Z0-9]+ |
79 |
NUMBER [1-9][0-9]* |
82 |
NUMBER [1-9][0-9]* |
80 |
HOSTADDR localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+ |
83 |
HOSTADDR localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+ |
|
|
84 |
SOCKETADDR ({HOSTADDR}|{IPV4}|{IPV6}|{IPV4MAPPED6}):[0-9]{1,5} |
81 |
|
85 |
|
82 |
TIMESTAMP_SYSLOG {MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS} |
86 |
TIMESTAMP_SYSLOG {MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS} |
83 |
TIMESTAMP_TAI64 [0-9A-Fa-f]{24} |
87 |
TIMESTAMP_TAI64 [0-9A-Fa-f]{24} |
84 |
SOLARIS_MSGID_TAG "[ID "[0-9]+" "{WORD}"."{WORD}"]" |
88 |
SOLARIS_MSGID_TAG "[ID "[0-9]+" "{WORD}"."{WORD}"]" |
|
|
89 |
TIMESTAMP_ASTERISK \[?({TIMESTAMP_SYSLOG}|[0-9]{4}-[0-9]{2}-[0-9]{2}" "{HOUR}":"{MINPS}":"{MINPS})("."[0-9]+)?\]? |
85 |
|
90 |
|
86 |
/* all words but "sshguard" provided that posix regex don't support negation nor intersection: |
91 |
/* all words but "sshguard" provided that posix regex don't support negation nor intersection: |
87 |
* 1) all words of 2 to 7 characters or 8-* chars |
92 |
* 1) all words of 2 to 7 characters or 8-* chars |
Lines 125-130
Link Here
|
125 |
/* metalog banner */ |
130 |
/* metalog banner */ |
126 |
{TIMESTAMP_SYSLOG}" ["{PROCESSNAME}"] " { return METALOG_BANNER; } |
131 |
{TIMESTAMP_SYSLOG}" ["{PROCESSNAME}"] " { return METALOG_BANNER; } |
127 |
|
132 |
|
|
|
133 |
/* asterisk banner */ |
134 |
({TIMESTAMP_ASTERISK}[ ]*)?"NOTICE["{NUMBER}\]:?[ ]+{WORD}".c:"([0-9]+" in "{WORD}:)?[ ]+ { return ASTERISK_BANNER; } |
135 |
({TIMESTAMP_ASTERISK}[ ]*)?"NOTICE["{NUMBER}"]: : :" { return ASTERISK_BANNER; } |
128 |
|
136 |
|
129 |
/* SSH: invalid or rejected user (cross platform [generated by openssh]) */ |
137 |
/* SSH: invalid or rejected user (cross platform [generated by openssh]) */ |
130 |
"Invalid user ".+" from " { return SSH_INVALUSERPREF; } |
138 |
"Invalid user ".+" from " { return SSH_INVALUSERPREF; } |
Lines 196-201
Link Here
|
196 |
.+"FAIL LOGIN: Client \"" { BEGIN(vsftpd_loginerr); return VSFTPD_LOGINERR_PREF; } |
204 |
.+"FAIL LOGIN: Client \"" { BEGIN(vsftpd_loginerr); return VSFTPD_LOGINERR_PREF; } |
197 |
<vsftpd_loginerr>"\"" { BEGIN(INITIAL); return VSFTPD_LOGINERR_SUFF; } |
205 |
<vsftpd_loginerr>"\"" { BEGIN(INITIAL); return VSFTPD_LOGINERR_SUFF; } |
198 |
|
206 |
|
|
|
207 |
/* Asterisk */ |
208 |
"Registration from '".*"' failed for '" { BEGIN(asterisk_regfail); return ASTERISK_REGFAIL_PREF; } |
209 |
<asterisk_regfail>"' - Wrong password" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } |
210 |
<asterisk_regfail>"' - No matching peer found" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } |
211 |
<asterisk_regfail>"' - Username/auth name mismatch" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } |
212 |
<asterisk_regfail>"' - Device does not match ACL" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } |
213 |
<asterisk_regfail>"' - Peer is not supposed to register" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } |
214 |
<asterisk_regfail>"' - ACL error (permit/deny)" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } |
215 |
<asterisk_regfail>"' - Not a local domain" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } |
216 |
<asterisk_regfail>"' - ".+ { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } |
217 |
" failed to authenticate as '".*' { return ASTERISK_AUTHFAIL; } |
218 |
"Sending fake auth rejection ".+"(" { return ASTERISK_FAKEAUTHREJ; } |
219 |
"No registration for peer '".+"' (from " { return ASTERISK_NOREG; } |
220 |
"Host " { BEGIN(asterisk_md5fail); return ASTERISK_MD5FAIL_PREF; } |
221 |
<asterisk_md5fail>" failed MD5 authentication for '".*' { BEGIN(INITIAL); return ASTERISK_MD5FAIL_SUFF; } |
222 |
|
199 |
/** COMMON-USE TOKENS do not touch these **/ |
223 |
/** COMMON-USE TOKENS do not touch these **/ |
200 |
/* an IPv4 address */ |
224 |
/* an IPv4 address */ |
201 |
{IPV4} { yylval.str = yytext; return IPv4; } |
225 |
{IPV4} { yylval.str = yytext; return IPv4; } |
Lines 207-212
Link Here
|
207 |
|
231 |
|
208 |
/* an host address (PTR) */ |
232 |
/* an host address (PTR) */ |
209 |
{HOSTADDR} { yylval.str = yytext; return HOSTADDR; } |
233 |
{HOSTADDR} { yylval.str = yytext; return HOSTADDR; } |
|
|
234 |
/* a host address including port number, which we must truncate */ |
235 |
{SOCKETADDR} { *(strrchr(yytext, ':')) = 0; yylval.str = yytext; return HOSTADDR; } |
210 |
{NUMBER} { yylval.num = (int)strtol(yytext, (char **)NULL, 10); return INTEGER; } |
236 |
{NUMBER} { yylval.num = (int)strtol(yytext, (char **)NULL, 10); return INTEGER; } |
211 |
/* syslog timestamp */ |
237 |
/* syslog timestamp */ |
212 |
/*{MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS} { return TIMESTAMP_SYSLOG; }*/ |
238 |
/*{MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS} { return TIMESTAMP_SYSLOG; }*/ |
Lines 216-221
Link Here
|
216 |
"@"{TIMESTAMP_TAI64} { return AT_TIMESTAMP_TAI64; } |
242 |
"@"{TIMESTAMP_TAI64} { return AT_TIMESTAMP_TAI64; } |
217 |
{TIMESTAMP_TAI64} { return TIMESTAMP_TAI64; } |
243 |
{TIMESTAMP_TAI64} { return TIMESTAMP_TAI64; } |
218 |
|
244 |
|
|
|
245 |
/* Asterisk timestamp */ |
246 |
{TIMESTAMP_ASTERISK} { return TIMESTAMP_ASTERISK; } |
247 |
|
219 |
/*[^ :]+:[^ ]+ { return FACILITYPRIORITY; } */ |
248 |
/*[^ :]+:[^ ]+ { return FACILITYPRIORITY; } */ |
220 |
{WORD} { yylval.str = yytext; return WORD; } |
249 |
{WORD} { yylval.str = yytext; return WORD; } |
221 |
[ \n\t]+ /* eat blanks */ |
250 |
[ \n\t]+ /* eat blanks */ |