guardian: Add upstream patch for HTTP parser.
authorStefan Schantl <stefan.schantl@ipfire.org>
Tue, 4 Feb 2020 07:59:33 +0000 (08:59 +0100)
committerArne Fitzenreiter <arne_f@ipfire.org>
Sun, 16 Feb 2020 15:56:35 +0000 (15:56 +0000)
Fixes #12289.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
lfs/guardian
src/patches/guardian-2.0.2-http-parser.patch [new file with mode: 0644]

index a40480c..3e2c334 100644 (file)
@@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 
 PROG       = guardian
-PAK_VER    = 18
+PAK_VER    = 19
 
 DEPS       = "perl-inotify2 perl-Net-IP"
 
@@ -79,6 +79,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE)
 
+       # Add upstream patches.
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/guardian-2.0.2-http-parser.patch
+
        # Adjust path for firewall binaries.
        cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm
 
diff --git a/src/patches/guardian-2.0.2-http-parser.patch b/src/patches/guardian-2.0.2-http-parser.patch
new file mode 100644 (file)
index 0000000..1ecae65
--- /dev/null
@@ -0,0 +1,45 @@
+commit 5028c7fde1fa15e4960f2fec3c025d0338382895
+Author: Stefan Schantl <stefan.schantl@ipfire.org>
+Date:   Tue Feb 4 07:55:48 2020 +0100
+
+    Parser: Adjust HTTP parser to be compatible with newer log format.
+    
+    Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
+
+diff --git a/modules/Parser.pm b/modules/Parser.pm
+index 3880228..bcca88f 100644
+--- a/modules/Parser.pm
++++ b/modules/Parser.pm
+@@ -302,7 +302,7 @@ sub message_parser_httpd (@) {
+       # been passed.
+       foreach my $line (@message) {
+               # This will catch brute-force attacks against htaccess logins (username).
+-              if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
++              if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) {
+                       # Store the grabbed IP-address.
+                       $address = $1;
+@@ -311,7 +311,7 @@ sub message_parser_httpd (@) {
+               }
+               # Detect htaccess password brute-forcing against a username.
+-              elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
++              elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) {
+                       # Store the extracted IP-address.
+                       $address = $1;
+@@ -321,6 +321,14 @@ sub message_parser_httpd (@) {
+               # Check if at least the IP-address information has been extracted.
+               if (defined ($address)) {
++                      # Check if the address also contains a port value.
++                      if ($address =~ m/:/) {
++                              my ($add_address, $port) = split(/:/, $address);
++
++                              # Only process the address.
++                              $address = $add_address;
++                      }
++
+                       # Add the extracted values and event message to the actions array.
+                       push(@actions, "count $address $name $message");
+               }