]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/guardian-2.0.2-http-parser.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
suricata: Change midstream policy to "pass-flow"
[ipfire-2.x.git] / src / patches / guardian-2.0.2-http-parser.patch
1 commit 5028c7fde1fa15e4960f2fec3c025d0338382895
2 Author: Stefan Schantl <stefan.schantl@ipfire.org>
3 Date: Tue Feb 4 07:55:48 2020 +0100
4
5 Parser: Adjust HTTP parser to be compatible with newer log format.
6
7 Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
8
9 diff --git a/modules/Parser.pm b/modules/Parser.pm
10 index 3880228..bcca88f 100644
11 --- a/modules/Parser.pm
12 +++ b/modules/Parser.pm
13 @@ -302,7 +302,7 @@ sub message_parser_httpd (@) {
14 # been passed.
15 foreach my $line (@message) {
16 # This will catch brute-force attacks against htaccess logins (username).
17 - if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
18 + if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) {
19 # Store the grabbed IP-address.
20 $address = $1;
21
22 @@ -311,7 +311,7 @@ sub message_parser_httpd (@) {
23 }
24
25 # Detect htaccess password brute-forcing against a username.
26 - elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
27 + elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) {
28 # Store the extracted IP-address.
29 $address = $1;
30
31 @@ -321,6 +321,14 @@ sub message_parser_httpd (@) {
32
33 # Check if at least the IP-address information has been extracted.
34 if (defined ($address)) {
35 + # Check if the address also contains a port value.
36 + if ($address =~ m/:/) {
37 + my ($add_address, $port) = split(/:/, $address);
38 +
39 + # Only process the address.
40 + $address = $add_address;
41 + }
42 +
43 # Add the extracted values and event message to the actions array.
44 push(@actions, "count $address $name $message");
45 }
IPFire 2.x development tree