]>
Commit | Line | Data |
---|---|---|
56f4f279 SS |
1 | commit 5028c7fde1fa15e4960f2fec3c025d0338382895 |
2 | Author: Stefan Schantl <stefan.schantl@ipfire.org> | |
3 | Date: Tue Feb 4 07:55:48 2020 +0100 | |
4 | ||
5 | Parser: Adjust HTTP parser to be compatible with newer log format. | |
6 | ||
7 | Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> | |
8 | ||
9 | diff --git a/modules/Parser.pm b/modules/Parser.pm | |
10 | index 3880228..bcca88f 100644 | |
11 | --- a/modules/Parser.pm | |
12 | +++ b/modules/Parser.pm | |
13 | @@ -302,7 +302,7 @@ sub message_parser_httpd (@) { | |
14 | # been passed. | |
15 | foreach my $line (@message) { | |
16 | # This will catch brute-force attacks against htaccess logins (username). | |
17 | - if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) { | |
18 | + if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) { | |
19 | # Store the grabbed IP-address. | |
20 | $address = $1; | |
21 | ||
22 | @@ -311,7 +311,7 @@ sub message_parser_httpd (@) { | |
23 | } | |
24 | ||
25 | # Detect htaccess password brute-forcing against a username. | |
26 | - elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) { | |
27 | + elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) { | |
28 | # Store the extracted IP-address. | |
29 | $address = $1; | |
30 | ||
31 | @@ -321,6 +321,14 @@ sub message_parser_httpd (@) { | |
32 | ||
33 | # Check if at least the IP-address information has been extracted. | |
34 | if (defined ($address)) { | |
35 | + # Check if the address also contains a port value. | |
36 | + if ($address =~ m/:/) { | |
37 | + my ($add_address, $port) = split(/:/, $address); | |
38 | + | |
39 | + # Only process the address. | |
40 | + $address = $add_address; | |
41 | + } | |
42 | + | |
43 | # Add the extracted values and event message to the actions array. | |
44 | push(@actions, "count $address $name $message"); | |
45 | } |