Package: sshguard
Version: 1.5-5
Severity: normal
Tags: upstream l10n patch
Hi!
I'm running sshguard with syslog-ng configured with the option
options {ts_format(iso);};
for ISO-8601 timestamps which contain the full year and timezone data.
These timestamps are not supported in version 1.5-5 of sshguard.
Included a patch for ISO-8601 support.
I would be glad if this patch find it's way into sshguard -- perhaps
even in the upstram source.
*** /home/olf/tmp/sshguard-1.5.0.patch
diff --git a/src/parser/attack_parser.y b/src/parser/attack_parser.y
index da5a2a0..46acf59 100644
--- a/src/parser/attack_parser.y
+++ b/src/parser/attack_parser.y
@@ -85,7 +85,7 @@ static struct {
%token <num> INTEGER SYSLOG_BANNER_PID LAST_LINE_REPEATED_N_TIMES
/* flat tokens */
-%token SYSLOG_BANNER TIMESTAMP_SYSLOG TIMESTAMP_TAI64 AT_TIMESTAMP_TAI64
METALOG_BANNER
+%token SYSLOG_BANNER TIMESTAMP_SYSLOG TIMESTAMP_SYSLOG_ISO TIMESTAMP_TAI64
AT_TIMESTAMP_TAI64 METALOG_BANNER
/* ssh */
%token SSH_INVALUSERPREF SSH_NOTALLOWEDPREF SSH_NOTALLOWEDSUFF
%token SSH_LOGINERR_PREF SSH_LOGINERR_SUFF SSH_LOGINERR_PAM
diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 45e7c22..7dc3685 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -78,8 +78,13 @@ MINPS [0-5][0-9]
WORD [a-zA-Z0-9][-_a-zA-Z0-9]+
NUMBER [1-9][0-9]*
HOSTADDR localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+
+YEAR [0-9][0-9][0-9][0-9]
+MONTHNO 0[1-9]|1[0-2]
+DAY 0[1-9]|[1-2][0-9]|3[0-1]
+TZ Z|[\+\-][0-9][0-9]:[0-9][0-9]
TIMESTAMP_SYSLOG {MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS}
+TIMESTAMP_SYSLOG_ISO
{YEAR}"-"{MONTHNO}"-"{DAY}"T"{HOUR}":"{MINPS}":"{MINPS}{TZ}
TIMESTAMP_TAI64 [0-9A-Fa-f]{24}
SOLARIS_MSGID_TAG "[ID "[0-9]+" "{WORD}"."{WORD}"]"
@@ -107,13 +112,13 @@ IPV4MAPPED6
((:(:0{1,4}){0,4}|0{1,4}:(:0{1,4}){1,3}|(0{1,4}:){2}(0{1,4}:0{0,4}:0
*/
/* handle entries with PID and without PID from processes other than sshguard
*/
-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[
]+{PROCESSNAME}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
+({TIMESTAMP_SYSLOG}|{TIMESTAMP_SYSLOG_ISO})[
]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]:
"{SOLARIS_MSGID_TAG}? {
/* extract PID */
yylval.num = getsyslogpid(yytext, yyleng);
return SYSLOG_BANNER_PID;
}
-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+({PROCESSNAME}":")?
{ return SYSLOG_BANNER; }
+({TIMESTAMP_SYSLOG}|{TIMESTAMP_SYSLOG_ISO})[
]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+({PROCESSNAME}":")? { return
SYSLOG_BANNER; }
/* syslog style "last message repeated N times" */
"last message repeated "([1-9][0-9]*)" times" {
@@ -123,7 +128,7 @@ IPV4MAPPED6
((:(:0{1,4}){0,4}|0{1,4}:(:0{1,4}){1,3}|(0{1,4}:){2}(0{1,4}:0{0,4}:0
}
/* metalog banner */
-{TIMESTAMP_SYSLOG}" ["{PROCESSNAME}"] " { return
METALOG_BANNER; }
+({TIMESTAMP_SYSLOG}|{TIMESTAMP_SYSLOG_ISO})" ["{PROCESSNAME}"] "
{ return METALOG_BANNER; }
/* SSH: invalid or rejected user (cross platform [generated by openssh]) */
@@ -212,6 +217,10 @@ IPV4MAPPED6
((:(:0{1,4}){0,4}|0{1,4}:(:0{1,4}){1,3}|(0{1,4}:){2}(0{1,4}:0{0,4}:0
/*{MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS} { return
TIMESTAMP_SYSLOG; }*/
{TIMESTAMP_SYSLOG} { return
TIMESTAMP_SYSLOG; }
+ /* syslog-ng ISO timestamp */
+ /*{YEAR}"-"{MONTH}"-"{DAY}"T"{HOUR}":"{MINPS}":"{MINPS}{TZ} { return
TIMESTAMP_SYSLOG_ISO; }*/
+{TIMESTAMP_SYSLOG_ISO} { return
TIMESTAMP_SYSLOG_ISO; }
+
/* TAI64 timestamp */
"@"{TIMESTAMP_TAI64} { return
AT_TIMESTAMP_TAI64; }
{TIMESTAMP_TAI64} { return
TIMESTAMP_TAI64; }
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages sshguard depends on:
ii iptables 1.4.14-3
ii libc6 2.13-35
sshguard recommends no packages.
sshguard suggests no packages.
-- Configuration Files:
/etc/default/sshguard changed [not included]
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
