guardian: Add upstream patch for HTTP parser.

Fixes #12289.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/lfs/guardian b/lfs/guardian
index a40480c0c8ad1d5792028bf582e432bf311a3a7e..3e2c3347f5be3bb980d116b1cc25cce8e8cfe7e1 100644 (file)
--- a/lfs/guardian
+++ b/lfs/guardian
@@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 
 PROG       = guardian
 TARGET     = $(DIR_INFO)/$(THISAPP)
 
 PROG       = guardian

-PAK_VER    = 18
+PAK_VER    = 19

 
 DEPS       = "perl-inotify2 perl-Net-IP"
 
 
 DEPS       = "perl-inotify2 perl-Net-IP"
 


@@ -79,6 +79,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE)
 
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE)
 

+       # Add upstream patches.
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/guardian-2.0.2-http-parser.patch
+

        # Adjust path for firewall binaries.
        cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm
 
        # Adjust path for firewall binaries.
        cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm
 

diff --git a/src/patches/guardian-2.0.2-http-parser.patch b/src/patches/guardian-2.0.2-http-parser.patch
new file mode 100644 (file)
index 0000000..1ecae65
--- /dev/null
+++ b/src/patches/guardian-2.0.2-http-parser.patch
@@ -0,0 +1,45 @@
+commit 5028c7fde1fa15e4960f2fec3c025d0338382895
+Author: Stefan Schantl <stefan.schantl@ipfire.org>
+Date:   Tue Feb 4 07:55:48 2020 +0100
+
+    Parser: Adjust HTTP parser to be compatible with newer log format.
+    
+    Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
+
+diff --git a/modules/Parser.pm b/modules/Parser.pm
+index 3880228..bcca88f 100644
+--- a/modules/Parser.pm
++++ b/modules/Parser.pm
+@@ -302,7 +302,7 @@ sub message_parser_httpd (@) {
+       # been passed.
+       foreach my $line (@message) {
+               # This will catch brute-force attacks against htaccess logins (username).
+-              if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
++              if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) {
+                       # Store the grabbed IP-address.
+                       $address = $1;
+ 
+@@ -311,7 +311,7 @@ sub message_parser_httpd (@) {
+               }
+ 
+               # Detect htaccess password brute-forcing against a username.
+-              elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
++              elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) {
+                       # Store the extracted IP-address.
+                       $address = $1;
+ 
+@@ -321,6 +321,14 @@ sub message_parser_httpd (@) {
+ 
+               # Check if at least the IP-address information has been extracted.
+               if (defined ($address)) {
++                      # Check if the address also contains a port value.
++                      if ($address =~ m/:/) {
++                              my ($add_address, $port) = split(/:/, $address);
++
++                              # Only process the address.
++                              $address = $add_address;
++                      }
++
+                       # Add the extracted values and event message to the actions array.
+                       push(@actions, "count $address $name $message");
+               }