1 commit 5028c7fde1fa15e4960f2fec3c025d0338382895
2 Author: Stefan Schantl <stefan.schantl@ipfire.org>
3 Date: Tue Feb 4 07:55:48 2020 +0100
5 Parser: Adjust HTTP parser to be compatible with newer log format.
7 Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
9 diff --git a/modules/Parser.pm b/modules/Parser.pm
10 index 3880228..bcca88f 100644
11 --- a/modules/Parser.pm
12 +++ b/modules/Parser.pm
13 @@ -302,7 +302,7 @@ sub message_parser_httpd (@) {
15 foreach my $line (@message) {
16 # This will catch brute-force attacks against htaccess logins (username).
17 - if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
18 + if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) {
19 # Store the grabbed IP-address.
22 @@ -311,7 +311,7 @@ sub message_parser_httpd (@) {
25 # Detect htaccess password brute-forcing against a username.
26 - elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
27 + elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) {
28 # Store the extracted IP-address.
31 @@ -321,6 +321,14 @@ sub message_parser_httpd (@) {
33 # Check if at least the IP-address information has been extracted.
34 if (defined ($address)) {
35 + # Check if the address also contains a port value.
36 + if ($address =~ m/:/) {
37 + my ($add_address, $port) = split(/:/, $address);
39 + # Only process the address.
40 + $address = $add_address;
43 # Add the extracted values and event message to the actions array.
44 push(@actions, "count $address $name $message");