Merge pull request #381 from grooverdan/suhosin

ENH: filter.d/suhosin - anchor regex at start

ChangeLog

@@ -71,6 +71,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
   François Boulogne and Frédéric
    * filter.d/lighttpd - auth regexs for lighttpd-1.4.31
   Daniel Black
+   * filter.d/suhosin - regex anchor at start
    * filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening
      and extra failure examples in sample logs
    * filter.d/apache-auth - added expressions for mod_authz, mod_auth and

config/filter.d/suhosin.conf

@@ -3,14 +3,26 @@
 # Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
 [Definition]
 
+_daemon = (?:lighttpd|suhosin)
+
 # Option:  failregex
 # Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
 # Values:  TEXT
 #
 # https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
-failregex = ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
+
+_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
+
+failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.