From 9637c278738733f1f81a1d78ef3aee79032c6b37 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 5 Oct 2013 19:39:39 +1000 Subject: [PATCH] ENH: filter.d/suhosin - anchor regex at start --- ChangeLog | 1 + config/filter.d/suhosin.conf | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 46b12528..81131b97 100644 --- a/ChangeLog +++ b/ChangeLog @@ -71,6 +71,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests François Boulogne and Frédéric * filter.d/lighttpd - auth regexs for lighttpd-1.4.31 Daniel Black + * filter.d/suhosin - regex anchor at start * filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening and extra failure examples in sample logs * filter.d/apache-auth - added expressions for mod_authz, mod_auth and diff --git a/config/filter.d/suhosin.conf b/config/filter.d/suhosin.conf index c79c157f..f0bcea77 100644 --- a/config/filter.d/suhosin.conf +++ b/config/filter.d/suhosin.conf @@ -3,14 +3,26 @@ # Author: Arturo 'Buanzo' Busleiman # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + [Definition] +_daemon = (?:lighttpd|suhosin) + # Option: failregex # Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module # Values: TEXT # # https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161 -failregex = ALERT - .* \(attacker '', file '.*'(?:, line \d+)?\)$ + +_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s) + +failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '', file '.*'(?:, line \d+)?\)$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored.