"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/parser/attack_scanner.l" between
sshguard-2.4.1.tar.gz and sshguard-2.4.2.tar.gz

About: sshguard is a log monitor that protects networked hosts from brute force attacks against services, most notably SSH.

[ To the main sshguard source changes report ]

attack_scanner.l  (sshguard-2.4.1):attack_scanner.l  (sshguard-2.4.2)
skipping to change at line 44 skipping to change at line 44
%option noyywrap %option noyywrap
%array %array
/* Start Conditions */ /* Start Conditions */
/* for Login services */ /* for Login services */
%s ssh_notallowed ssh_reversemap ssh_disconnect ssh_badproto ssh_badkex cockpit_ authfail %s ssh_notallowed ssh_reversemap ssh_disconnect ssh_badproto ssh_badkex cockpit_ authfail
/* for SSHGuard */ /* for SSHGuard */
%s sshguard_attack sshguard_block %s sshguard_attack sshguard_block
/* for Mail services */ /* for Mail services */
%s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr exim_esmtp_loginerr se ndmail_relaydenied sendmail_authfailure postfix_loginerr postfix_greylist opensm tpd_failedcmd %s dovecot_loginerr cyrusimap_loginerr exim_esmtp_autherr exim_esmtp_loginerr se ndmail_relaydenied sendmail_authfailure postfix_loginerr postfix_greylist opensm tpd_failedcmd postscreen
/* for FTP services */ /* for FTP services */
%s freebsdftpd_loginerr proftpd_loginerr pureftpd_loginerr vsftpd_loginerr %s freebsdftpd_loginerr proftpd_loginerr pureftpd_loginerr vsftpd_loginerr
/* for HTTP services */ /* for HTTP services */
%s clf_request clf_request_withuser clf_unauhtorized clfwebprobes_botsearch %s clf_request clf_request_withuser clf_unauhtorized clfwebprobes_botsearch
/* for git services */ /* for git services */
%s gitea_autherr %s gitea_autherr
MONTH (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) MONTH (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)
MONTHNO 0[0-9]|1[0-2] MONTHNO 0[0-9]|1[0-2]
DAYNO [0-9][0-9]? DAYNO [0-9][0-9]?
skipping to change at line 204 skipping to change at line 204
/* get this instead: match invalid login @ Linux Ubuntu */ /* get this instead: match invalid login @ Linux Ubuntu */
/* "Failed password for validuser from 1.2.3.4 port 54609 ssh2" */ /* "Failed password for validuser from 1.2.3.4 port 54609 ssh2" */
"Failed "[^ ]+" for "[^ ]+" from " { return SSH_LOG INERR_PREF; } "Failed "[^ ]+" for "[^ ]+" from " { return SSH_LOG INERR_PREF; }
/* wrong password for valid user @ FreeBSD, Debian */ /* wrong password for valid user @ FreeBSD, Debian */
"error: PAM: "(([aA]"uthentication "(error|failure))|"unknown user")" for "("ill egal user ")?.+" from " { return SSH_LOGINERR_PAM; } "error: PAM: "(([aA]"uthentication "(error|failure))|"unknown user")" for "("ill egal user ")?.+" from " { return SSH_LOGINERR_PAM; }
"via ".* { return SSH_VIA ; } "via ".* { return SSH_VIA ; }
/* SSH: connections open and closed without auth attempts */ /* SSH: connections open and closed without auth attempts */
"Did not receive identification string from " { return SSH_NOI DENTIFSTR; } "Did not receive identification string from " { return SSH_NOI DENTIFSTR; }
"error: "?"Received disconnect from " { BEGIN(ssh_disc onnect); return SSH_DISCONNECT_PREF; }
"Disconnected from "(("invalid"|"authenticating")" user "[^ ]+" ")? { BEGIN(ssh_disconnect); return SSH_DISCONNECT_PREF; } "Disconnected from "(("invalid"|"authenticating")" user "[^ ]+" ")? { BEGIN(ssh_disconnect); return SSH_DISCONNECT_PREF; }
"Connection "(closed|reset)" by "(("invalid"|"authenticating")" user "[^ ]+" ")? { BEGIN(ssh_disconnect); return SSH_CONNECTION_CLOSED; } "Connection "(closed|reset)" by "(("invalid"|"authenticating")" user "[^ ]+" ")? { BEGIN(ssh_disconnect); return SSH_CONNECTION_CLOSED; }
<ssh_disconnect>[: ].*"[preauth]" { BEGIN(INITIAL) ; return SSH_PREAUTH_SUFF; } <ssh_disconnect>[: ].*"[preauth]" { BEGIN(INITIAL) ; return SSH_PREAUTH_SUFF; }
/* SSH: clients connecting with other application protocols */ /* SSH: clients connecting with other application protocols */
"Bad protocol version identification".*" from " { BEGIN(ssh_badp roto); return SSH_BADPROTOCOLIDENTIF; } "Bad protocol version identification".*" from " { BEGIN(ssh_badp roto); return SSH_BADPROTOCOLIDENTIF; }
<ssh_badproto>[ \n].* { BEGIN(INITIAL) ; return SSH_BADPROTOCOLIDENTIF_SUFF; } <ssh_badproto>[ \n].* { BEGIN(INITIAL) ; return SSH_BADPROTOCOLIDENTIF_SUFF; }
"fatal: "?"Unable to negotiate with " { BEGI N(ssh_badkex); return SSH_BADKEX_PREF; } "fatal: "?"Unable to negotiate with " { BEGI N(ssh_badkex); return SSH_BADKEX_PREF; }
<ssh_badkex>(" port ".*)?[: ].*"no matching ".*" found".* { BEGIN(INITIAL) ; return SSH_BADKEX_SUFF; } <ssh_badkex>(" port ".*)?[: ].*"no matching ".*" found".* { BEGIN(INITIAL) ; return SSH_BADKEX_SUFF; }
skipping to change at line 251 skipping to change at line 250
("(libdovecot."[0-9\.]+".dylib) ")?(imap|pop3)"-login: ""Info: "?("Aborted login "|Disconnected)" (auth failed, "{NUMBER}" attempts".*"): ".+" rip=" { BEGIN(dove cot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; } ("(libdovecot."[0-9\.]+".dylib) ")?(imap|pop3)"-login: ""Info: "?("Aborted login "|Disconnected)" (auth failed, "{NUMBER}" attempts".*"): ".+" rip=" { BEGIN(dove cot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; }
<dovecot_loginerr>", lip=".+ { BEGIN(INIT IAL); return DOVECOT_IMAP_LOGINERR_SUFF; } <dovecot_loginerr>", lip=".+ { BEGIN(INIT IAL); return DOVECOT_IMAP_LOGINERR_SUFF; }
/* UWimap login errors */ /* UWimap login errors */
"Login failed user="[^ ]+" auth="[^ ]*" host="[^ ]+" " { return UWIMAP_ LOGINERR; } "Login failed user="[^ ]+" auth="[^ ]*" host="[^ ]+" " { return UWIMAP_ LOGINERR; }
/* cyrus-imap login error */ /* cyrus-imap login error */
"badlogin: "[^\[]*"[" { BEGIN(cyrusima p_loginerr); return CYRUSIMAP_SASL_LOGINERR_PREF; } "badlogin: "[^\[]*"[" { BEGIN(cyrusima p_loginerr); return CYRUSIMAP_SASL_LOGINERR_PREF; }
<cyrusimap_loginerr>"] ".*"SASL".*"failed".?$ { BEGIN(INITIAL) ; return CYRUSIMAP_SASL_LOGINERR_SUFF; } <cyrusimap_loginerr>"] ".*"SASL".*"failed".?$ { BEGIN(INITIAL) ; return CYRUSIMAP_SASL_LOGINERR_SUFF; }
[iI]"maps TLS negotiation failed: " { return CYRUSIM
AP_TLS_ERR_PREF; }
"STARTTLS negotiation failed: " { return CYRUSIM
AP_TLS_ERR_PREF; }
/* postfix */ /* postfix */
"warning: "({WORD}|{HOSTADDR})"[" { BEGIN(postfix_ loginerr); return POSTFIX_SASL_LOGINERR_PREF; } "warning: "({WORD}|{HOSTADDR})"[" { BEGIN(postfix_ loginerr); return POSTFIX_SASL_LOGINERR_PREF; }
<postfix_loginerr>"]: SASL "[-A-Z0-9]+" authentication failed".* { BEGIN(INIT IAL); return POSTFIX_SASL_LOGINERR_SUFF; } <postfix_loginerr>"]: SASL "[-A-Z0-9]+" authentication failed".* { BEGIN(INIT IAL); return POSTFIX_SASL_LOGINERR_SUFF; }
"lost connection after AUTH from ".*"[" { return POSTFIX _NO_AUTH_PREF; } "lost connection after AUTH from ".*"[" { return POSTFIX _NO_AUTH_PREF; }
"action=greylist".*"client_address=" { BEGIN(postfix_ greylist); return POSTFIX_GREYLIST; } "action=greylist".*"client_address=" { BEGIN(postfix_ greylist); return POSTFIX_GREYLIST; }
<postfix_greylist>",".* { BEGIN(INITIAL) ; return POSTFIX_GREYLIST_SUFF; } <postfix_greylist>",".* { BEGIN(INITIAL) ; return POSTFIX_GREYLIST_SUFF; }
"PREGREET".*"[" { BEGIN(postscre
en); return POSTSCREEN_PREF; }
"DNSBL".*"[" { BEGIN(postscre
en); return POSTSCREEN_PREF; }
"HANGUP".*"[" { BEGIN(postscre
en); return POSTSCREEN_PREF; }
<postscreen>"]:".* { BEGIN(INITIAL)
; return POSTSCREEN_SUFF; }
/* FreeBSD's ftpd login errors */ /* FreeBSD's ftpd login errors */
"FTP LOGIN FAILED FROM " { BEGIN(freebsdf tpd_loginerr); return FREEBSDFTPD_LOGINERR_PREF; } "FTP LOGIN FAILED FROM " { BEGIN(freebsdf tpd_loginerr); return FREEBSDFTPD_LOGINERR_PREF; }
<freebsdftpd_loginerr>", ".+ { BEGIN(INITIAL) ; return FREEBSDFTPD_LOGINERR_SUFF; } <freebsdftpd_loginerr>", ".+ { BEGIN(INITIAL) ; return FREEBSDFTPD_LOGINERR_SUFF; }
/* ProFTPd */ /* ProFTPd */
{HOSTADDR}" ("[^\[]+"[" { BEGIN(proftpd_ loginerr); return PROFTPD_LOGINERR_PREF; } {HOSTADDR}" ("[^\[]+"[" { BEGIN(proftpd_ loginerr); return PROFTPD_LOGINERR_PREF; }
<proftpd_loginerr>"])".*" no such user "("found ")?.+ { BEGIN(INITIAL) ; return PROFTPD_LOGINERR_SUFF; } <proftpd_loginerr>"])".*" no such user "("found ")?.+ { BEGIN(INITIAL) ; return PROFTPD_LOGINERR_SUFF; }
/* another log entry from ProFTPd */ /* another log entry from ProFTPd */
{HOSTADDR}" ("[[]+"[" { BEGIN(proftpd_ loginerr); return PROFTPD_LOGINERR_PREF; } {HOSTADDR}" ("[[]+"[" { BEGIN(proftpd_ loginerr); return PROFTPD_LOGINERR_PREF; }
"]) - USER "{WORD}" (Login failed): ".* { BEGIN(INITIAL) ; return PROFTPD_LOGINERR_SUFF; } "]) - USER "{WORD}" (Login failed): ".* { BEGIN(INITIAL) ; return PROFTPD_LOGINERR_SUFF; }
 End of changes. 4 change blocks. 
7 lines changed or deleted 10 lines changed or added
To the Lex Programs (all 1): section of the sshguard source changes report or the top of this page
Mainly generated by pkgdiff using rfcdiff
Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)