Merge pull request #381 from grooverdan/suhosin

ENH: filter.d/suhosin - anchor regex at start
pull/379/merge
Yaroslav Halchenko 2013-10-08 19:49:51 -07:00
commit 500968874e
2 changed files with 14 additions and 1 deletions

View File

@ -71,6 +71,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
François Boulogne and Frédéric
* filter.d/lighttpd - auth regexs for lighttpd-1.4.31
Daniel Black
* filter.d/suhosin - regex anchor at start
* filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening
and extra failure examples in sample logs
* filter.d/apache-auth - added expressions for mod_authz, mod_auth and

View File

@ -3,14 +3,26 @@
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = (?:lighttpd|suhosin)
# Option: failregex
# Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module
# Values: TEXT
#
# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
failregex = ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.