From 055aeeb227e129fdf56bacb3e1ee006264cd2350 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Wed, 23 Jan 2013 18:42:25 +0000 Subject: [PATCH] Filter for multi-line now stores last time match This is useful for log files which dont contain a date/time on every line --- server/filter.py | 5 ++++- testcases/files/testcase-multiline.log | 20 ++++++++++---------- testcases/filtertestcase.py | 4 ++-- 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/server/filter.py b/server/filter.py index a66a3c06..4d99ae33 100644 --- a/server/filter.py +++ b/server/filter.py @@ -75,6 +75,8 @@ class Filter(JailThread): self.__lineBufferSize = 1 ## Line buffer self.__lineBuffer = [] + ## Store last time stamp, applicable for multi-line + self.__lastTimeLine = "" self.dateDetector = DateDetector() self.dateDetector.addDefaultTemplate() @@ -319,12 +321,13 @@ class Filter(JailThread): if timeMatch: # Lets split into time part and log part of the line timeLine = timeMatch.group() + self.__lastTimeLine = timeLine # Lets leave the beginning in as well, so if there is no # anchore at the beginning of the time regexp, we don't # at least allow injection. Should be harmless otherwise logLine = l[:timeMatch.start()] + l[timeMatch.end():] else: - timeLine = l + timeLine = self.__lastTimeLine or l logLine = l self.__lineBuffer = ((self.__lineBuffer + [logLine])[-self.__lineBufferSize:]) diff --git a/testcases/files/testcase-multiline.log b/testcases/files/testcase-multiline.log index b91f2756..12132920 100644 --- a/testcases/files/testcase-multiline.log +++ b/testcases/files/testcase-multiline.log @@ -1,12 +1,12 @@ -Aug 14 11:59:58 [sshd] Invalid user toto... +Aug 14 11:59:58 [sshd] Invalid user toto + from 212.41.96.185 +Aug 14 11:59:58 [sshd] Invalid user toto + from 212.41.96.185 +Aug 14 11:59:58 [sshd] Invalid user duck + from 212.41.96.185 +Aug 14 11:59:58 [sshd] Invalid user toto + from 212.41.96.185 +Aug 14 11:59:58 [sshd] Invalid user duck... Aug 14 11:59:58 [sshd] from 212.41.96.185 -Aug 14 11:59:58 [sshd] Invalid user toto... -Aug 14 11:59:58 [sshd] from 212.41.96.185 -Aug 14 11:59:58 [sshd] Invalid user fuck... -Aug 14 11:59:58 [sshd] from 212.41.96.185 -Aug 14 11:59:58 [sshd] Invalid user toto... -Aug 14 11:59:58 [sshd] from 212.41.96.185 -Aug 14 11:59:58 [sshd] Invalid user fuck... -Aug 14 11:59:58 [sshd] from 212.41.96.185 -Aug 14 11:59:58 [sshd] Invalid user fuck... +Aug 14 11:59:58 [sshd] Invalid user duck... Aug 14 11:59:58 [sshd] from 212.41.96.185 diff --git a/testcases/filtertestcase.py b/testcases/filtertestcase.py index 31d89239..4083d231 100644 --- a/testcases/filtertestcase.py +++ b/testcases/filtertestcase.py @@ -608,8 +608,8 @@ class GetFailures(unittest.TestCase): def testGetFailuresMultiLine(self): output = ("212.41.96.185", 3, 1124013598.0) self.filter.addLogPath(GetFailures.FILENAME_MULTILINE) - self.filter.addFailRegex("Invalid user .+\n.+ from $") - self.filter.addIgnoreRegex("user fuck") + self.filter.addFailRegex("Invalid user .+\n.* from $") + self.filter.addIgnoreRegex("user duck") self.filter.setMaxLines(2)