Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 297807 Details for
Bug 397517
app-admin/sshguard-1.5 add attack signatures for net-misc/asterisk
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch against sshguard-1.5
sshguard-asterisk.patch (text/plain), 8.66 KB, created by
Steve Dommett
on 2012-01-03 16:54:58 UTC
(
hide
)
Description:
patch against sshguard-1.5
Filename:
MIME Type:
Creator:
Steve Dommett
Created:
2012-01-03 16:54:58 UTC
Size:
8.66 KB
patch
obsolete
>--- sshguard-1.5/src/sshguard_services.h.orig 2012-01-03 16:40:15.424004604 +0000 >+++ sshguard-1.5/src/sshguard_services.h 2012-01-03 16:40:58.578424143 +0000 >@@ -1,5 +1,6 @@ > /* >- * Copyright (c) 2007,2008,2009,2010 Mij <mij@sshguard.net> >+ * Copyright (c) 2007,2008,2009,2010,2011 Mij <mij@sshguard.net> >+ * Copyright (c) 2011 sutaburosu <steve@st4vs.net> > * > * Permission to use, copy, modify, and distribute this software for any > * purpose with or without fee is hereby granted, provided that the above >@@ -62,4 +63,7 @@ > > /* vsftpd */ > #define SERVICES_VSFTPD 330 >+ >+/* Asterisk */ >+#define SERVICES_ASTERISK 340 > #endif >--- sshguard-1.5/src/parser/attack_scanner.l.orig 2011-02-09 12:01:47.000000000 +0000 >+++ sshguard-1.5/src/parser/attack_scanner.l 2012-01-03 16:43:13.927739311 +0000 >@@ -1,5 +1,6 @@ > /* >- * Copyright (c) 2007,2008,2009,2010 Mij <mij@sshguard.net> >+ * Copyright (c) 2007,2008,2009,2010,2011 Mij <mij@sshguard.net> >+ * Copyright (c) 2011 sutaburosu <steve@st4vs.net> > * > * Permission to use, copy, modify, and distribute this software for any > * purpose with or without fee is hereby granted, provided that the above >@@ -69,6 +70,8 @@ > %s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr sendmail_relaydenied > /* for FTP services */ > %s freebsdftpd_loginerr proftpd_loginerr pureftpd_loginerr vsftpd_loginerr >+ /* for Asterisk */ >+%s asterisk_regfail asterisk_md5fail > > > MONTH (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) >@@ -78,10 +81,12 @@ > WORD [a-zA-Z0-9][-_a-zA-Z0-9]+ > NUMBER [1-9][0-9]* > HOSTADDR localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+ >+SOCKETADDR ({HOSTADDR}|{IPV4}|{IPV6}|{IPV4MAPPED6}):[0-9]{1,5} > > TIMESTAMP_SYSLOG {MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS} > TIMESTAMP_TAI64 [0-9A-Fa-f]{24} > SOLARIS_MSGID_TAG "[ID "[0-9]+" "{WORD}"."{WORD}"]" >+TIMESTAMP_ASTERISK \[?({TIMESTAMP_SYSLOG}|[0-9]{4}-[0-9]{2}-[0-9]{2}" "{HOUR}":"{MINPS}":"{MINPS})("."[0-9]+)?\]? > > /* all words but "sshguard" provided that posix regex don't support negation nor intersection: > * 1) all words of 2 to 7 characters or 8-* chars >@@ -125,6 +130,9 @@ > /* metalog banner */ > {TIMESTAMP_SYSLOG}" ["{PROCESSNAME}"] " { return METALOG_BANNER; } > >+ /* asterisk banner */ >+({TIMESTAMP_ASTERISK}[ ]*)?"NOTICE["{NUMBER}\]:?[ ]+{WORD}".c:"([0-9]+" in "{WORD}:)?[ ]+ { return ASTERISK_BANNER; } >+({TIMESTAMP_ASTERISK}[ ]*)?"NOTICE["{NUMBER}"]: : :" { return ASTERISK_BANNER; } > > /* SSH: invalid or rejected user (cross platform [generated by openssh]) */ > "Invalid user ".+" from " { return SSH_INVALUSERPREF; } >@@ -196,6 +204,22 @@ > .+"FAIL LOGIN: Client \"" { BEGIN(vsftpd_loginerr); return VSFTPD_LOGINERR_PREF; } > <vsftpd_loginerr>"\"" { BEGIN(INITIAL); return VSFTPD_LOGINERR_SUFF; } > >+ /* Asterisk */ >+"Registration from '".*"' failed for '" { BEGIN(asterisk_regfail); return ASTERISK_REGFAIL_PREF; } >+<asterisk_regfail>"' - Wrong password" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } >+<asterisk_regfail>"' - No matching peer found" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } >+<asterisk_regfail>"' - Username/auth name mismatch" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } >+<asterisk_regfail>"' - Device does not match ACL" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } >+<asterisk_regfail>"' - Peer is not supposed to register" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } >+<asterisk_regfail>"' - ACL error (permit/deny)" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } >+<asterisk_regfail>"' - Not a local domain" { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } >+<asterisk_regfail>"' - ".+ { BEGIN(INITIAL); return ASTERISK_REGFAIL_SUFF; } >+" failed to authenticate as '".*' { return ASTERISK_AUTHFAIL; } >+"Sending fake auth rejection ".+"(" { return ASTERISK_FAKEAUTHREJ; } >+"No registration for peer '".+"' (from " { return ASTERISK_NOREG; } >+"Host " { BEGIN(asterisk_md5fail); return ASTERISK_MD5FAIL_PREF; } >+<asterisk_md5fail>" failed MD5 authentication for '".*' { BEGIN(INITIAL); return ASTERISK_MD5FAIL_SUFF; } >+ > /** COMMON-USE TOKENS do not touch these **/ > /* an IPv4 address */ > {IPV4} { yylval.str = yytext; return IPv4; } >@@ -207,6 +231,8 @@ > > /* an host address (PTR) */ > {HOSTADDR} { yylval.str = yytext; return HOSTADDR; } >+ /* a host address including port number, which we must truncate */ >+{SOCKETADDR} { *(strrchr(yytext, ':')) = 0; yylval.str = yytext; return HOSTADDR; } > {NUMBER} { yylval.num = (int)strtol(yytext, (char **)NULL, 10); return INTEGER; } > /* syslog timestamp */ > /*{MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS} { return TIMESTAMP_SYSLOG; }*/ >@@ -216,6 +242,9 @@ > "@"{TIMESTAMP_TAI64} { return AT_TIMESTAMP_TAI64; } > {TIMESTAMP_TAI64} { return TIMESTAMP_TAI64; } > >+ /* Asterisk timestamp */ >+{TIMESTAMP_ASTERISK} { return TIMESTAMP_ASTERISK; } >+ > /*[^ :]+:[^ ]+ { return FACILITYPRIORITY; } */ > {WORD} { yylval.str = yytext; return WORD; } > [ \n\t]+ /* eat blanks */ >--- sshguard-1.5/src/parser/attack_parser.y.orig 2012-01-03 16:39:58.391838992 +0000 >+++ sshguard-1.5/src/parser/attack_parser.y 2012-01-03 16:40:58.577424134 +0000 >@@ -1,7 +1,8 @@ > %{ > > /* >- * Copyright (c) 2007,2008,2009,2010 Mij <mij@sshguard.net> >+ * Copyright (c) 2007,2008,2009,2010,2011 Mij <mij@sshguard.net> >+ * Copyright (c) 2011 sutaburosu <steve@st4vs.net> > * > * Permission to use, copy, modify, and distribute this software for any > * purpose with or without fee is hereby granted, provided that the above >@@ -81,11 +82,12 @@ > } > > /* semantic values for tokens */ >-%token <str> IPv4 IPv6 HOSTADDR WORD >+%token <str> IPv4 IPv6 HOSTADDR SOCKETADDR WORD > %token <num> INTEGER SYSLOG_BANNER_PID LAST_LINE_REPEATED_N_TIMES > > /* flat tokens */ > %token SYSLOG_BANNER TIMESTAMP_SYSLOG TIMESTAMP_TAI64 AT_TIMESTAMP_TAI64 METALOG_BANNER >+%token TIMESTAMP_ASTERISK ASTERISK_BANNER > /* ssh */ > %token SSH_INVALUSERPREF SSH_NOTALLOWEDPREF SSH_NOTALLOWEDSUFF > %token SSH_LOGINERR_PREF SSH_LOGINERR_SUFF SSH_LOGINERR_PAM >@@ -111,6 +113,10 @@ > %token PUREFTPD_LOGINERR_PREF PUREFTPD_LOGINERR_SUFF > /* vsftpd */ > %token VSFTPD_LOGINERR_PREF VSFTPD_LOGINERR_SUFF >+/* Asterisk */ >+%token ASTERISK_REGFAIL_PREF ASTERISK_REGFAIL_SUFF >+%token ASTERISK_AUTHFAIL ASTERISK_FAKEAUTHREJ >+%token ASTERISK_NOREG ASTERISK_MD5FAIL_PREF ASTERISK_MD5FAIL_SUFF > > /* msg_multiple returns the multiplicity degree of its recognized message */ > %type <num> msg_multiple >@@ -122,6 +128,7 @@ > syslogent > | multilogent > | metalogent >+ | asterisklogent > | logmsg > ; > >@@ -157,6 +164,13 @@ > METALOG_BANNER logmsg > ; > >+asterisklogent: >+ ASTERISK_BANNER logmsg >+ | SYSLOG_BANNER ASTERISK_BANNER logmsg >+ | SYSLOG_BANNER_PID ASTERISK_BANNER logmsg >+ | METALOG_BANNER ASTERISK_BANNER logmsg >+ ; >+ > /* the "payload" of a log entry: the oridinal message generated from a process */ > logmsg: > /* individual messages */ >@@ -177,6 +191,7 @@ > | proftpdmsg { parsed_attack.service = SERVICES_PROFTPD; } > | pureftpdmsg { parsed_attack.service = SERVICES_PUREFTPD; } > | vsftpdmsg { parsed_attack.service = SERVICES_VSFTPD; } >+ | asteriskmsg { parsed_attack.service = SERVICES_ASTERISK; } > ; > > msg_multiple: >@@ -339,6 +354,34 @@ > VSFTPD_LOGINERR_PREF addr VSFTPD_LOGINERR_SUFF > ; > >+/* attack rules for Asterisk */ >+asteriskmsg: >+ asterisk_regfail >+ | asterisk_authfail >+ | asterisk_fakeauthrej >+ | asterisk_noreg >+ | asterisk_md5fail >+ ; >+ >+asterisk_regfail: >+ ASTERISK_REGFAIL_PREF addr ASTERISK_REGFAIL_SUFF >+ ; >+ >+asterisk_authfail: >+ addr ASTERISK_AUTHFAIL >+ ; >+ >+asterisk_fakeauthrej: >+ ASTERISK_FAKEAUTHREJ addr ')' >+ ; >+ >+asterisk_noreg: >+ ASTERISK_NOREG addr ')' >+ ; >+ >+asterisk_md5fail: >+ ASTERISK_MD5FAIL_PREF addr ASTERISK_MD5FAIL_SUFF >+ ; > %% > > static void yyerror(int source_id, const char *msg) { /* do nothing */ }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=297807">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 397517
:
297807
