[ipfire-2.x.git] / src / patches / guardian-2.0.2-http-parser.patch

commit 5028c7fde1fa15e4960f2fec3c025d0338382895
Author: Stefan Schantl <stefan.schantl@ipfire.org>
Date:   Tue Feb 4 07:55:48 2020 +0100

    Parser: Adjust HTTP parser to be compatible with newer log format.
    
    Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/modules/Parser.pm b/modules/Parser.pm
index 3880228..bcca88f 100644
--- a/modules/Parser.pm
+++ b/modules/Parser.pm
@@ -302,7 +302,7 @@ sub message_parser_httpd (@) {
 	# been passed.
 	foreach my $line (@message) {
 		# This will catch brute-force attacks against htaccess logins (username).
-		if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
+		if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) {
 			# Store the grabbed IP-address.
 			$address = $1;
 
@@ -311,7 +311,7 @@ sub message_parser_httpd (@) {
 		}
 
 		# Detect htaccess password brute-forcing against a username.
-		elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
+		elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) {
 			# Store the extracted IP-address.
 			$address = $1;
 
@@ -321,6 +321,14 @@ sub message_parser_httpd (@) {
 
 		# Check if at least the IP-address information has been extracted.
 		if (defined ($address)) {
+			# Check if the address also contains a port value.
+			if ($address =~ m/:/) {
+				my ($add_address, $port) = split(/:/, $address);
+
+				# Only process the address.
+				$address = $add_address;
+			}
+
 			# Add the extracted values and event message to the actions array.
 			push(@actions, "count $address $name $message");
 		}
Commit	Line	Data
56f4f279 SS	1	commit 5028c7fde1fa15e4960f2fec3c025d0338382895
	2	Author: Stefan Schantl <stefan.schantl@ipfire.org>
	3	Date: Tue Feb 4 07:55:48 2020 +0100
	4
	5	Parser: Adjust HTTP parser to be compatible with newer log format.
	6
	7	Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
	8
	9	diff --git a/modules/Parser.pm b/modules/Parser.pm
	10	index 3880228..bcca88f 100644
	11	--- a/modules/Parser.pm
	12	+++ b/modules/Parser.pm
	13	@@ -302,7 +302,7 @@ sub message_parser_httpd (@) {
	14	# been passed.
	15	foreach my $line (@message) {
	16	# This will catch brute-force attacks against htaccess logins (username).
	17	- if ($line =~ /.\[error\] \[client (.)\] user(.) not found:./) {
	18	+ if ($line =~ /.\[client (.)\] .* user(.) not found:./) {
	19	# Store the grabbed IP-address.
	20	$address = $1;
	21
	22	@@ -311,7 +311,7 @@ sub message_parser_httpd (@) {
	23	}
	24
	25	# Detect htaccess password brute-forcing against a username.
	26	- elsif ($line =~ /.\[error\] \[client (.)\] user(.): authentication failure for./) {
	27	+ elsif ($line =~ /.\[client (.)\] .* user(.): authentication failure for./) {
	28	# Store the extracted IP-address.
	29	$address = $1;
	30
	31	@@ -321,6 +321,14 @@ sub message_parser_httpd (@) {
	32
	33	# Check if at least the IP-address information has been extracted.
	34	if (defined ($address)) {
	35	+ # Check if the address also contains a port value.
	36	+ if ($address =~ m/:/) {
	37	+ my ($add_address, $port) = split(/:/, $address);
	38	+
	39	+ # Only process the address.
	40	+ $address = $add_address;
	41	+ }
	42	+
	43	# Add the extracted values and event message to the actions array.
	44	push(@actions, "count $address $name $message");
	45	}