diff --git a/ChangeLog b/ChangeLog index 42e5b41d..25f8d534 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,8 @@ ver. 0.8.4 (2008/??/??) - stable Ravin. Tracker #2484115. - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953. +- Changed template to be more restrictive. Debian bug + #514163. ver. 0.8.3 (2008/07/17) - stable ---------- diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf index 20553d91..962fb2e3 100644 --- a/config/filter.d/apache-auth.conf +++ b/config/filter.d/apache-auth.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = [[]client []] user .* authentication failure diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf index 25dd62d3..4746fbfb 100644 --- a/config/filter.d/apache-noscript.conf +++ b/config/filter.d/apache-noscript.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = [[]client []] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index ee084229..b580c78d 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -3,7 +3,7 @@ # # Author: Yaroslav Halchenko # -# $Revision: $ +# $Revision$ # [INCLUDES] diff --git a/config/filter.d/courierlogin.conf b/config/filter.d/courierlogin.conf index a5b6d161..b8710ac3 100644 --- a/config/filter.d/courierlogin.conf +++ b/config/filter.d/courierlogin.conf @@ -12,7 +12,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = LOGIN FAILED, .*, ip=\[\]$ diff --git a/config/filter.d/couriersmtp.conf b/config/filter.d/couriersmtp.conf index a035e285..f0d696ff 100644 --- a/config/filter.d/couriersmtp.conf +++ b/config/filter.d/couriersmtp.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = error,relay=,.*550 User unknown diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf index 07669113..3a8734ee 100644 --- a/config/filter.d/cyrus-imap.conf +++ b/config/filter.d/cyrus-imap.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = : badlogin: .*\[\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$ diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 98b589be..a25ef3db 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = \[\] .*(?:rejected by local_scan|Unrouteable address) diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index c808b109..8db7faee 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = reject: RCPT from (.*)\[\]: 554 diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index 852fb59c..ec613b94 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf index 1933d6e0..fbbfc2d1 100644 --- a/config/filter.d/pure-ftpd.conf +++ b/config/filter.d/pure-ftpd.conf @@ -16,7 +16,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = pure-ftpd(?:\[\d+\])?: (.+?@) \[WARNING\] %(__errmsg)s \[.+\]$ diff --git a/config/filter.d/qmail.conf b/config/filter.d/qmail.conf index 0ae518fc..4d7acd6f 100644 --- a/config/filter.d/qmail.conf +++ b/config/filter.d/qmail.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip ) diff --git a/config/filter.d/sasl.conf b/config/filter.d/sasl.conf index bff6f92b..5cd8a6d5 100644 --- a/config/filter.d/sasl.conf +++ b/config/filter.d/sasl.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ diff --git a/config/filter.d/sshd-ddos.conf b/config/filter.d/sshd-ddos.conf index 9720ab4a..4f4b6fa2 100644 --- a/config/filter.d/sshd-ddos.conf +++ b/config/filter.d/sshd-ddos.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = sshd(?:\[\d+\])?: Did not receive identification string from $ diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 596837ba..2c53ee7d 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -20,7 +20,7 @@ _daemon = sshd # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$ diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index d905f825..4fc25777 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ diff --git a/config/filter.d/webmin-auth.conf b/config/filter.d/webmin-auth.conf index ddf081ea..70997e01 100644 --- a/config/filter.d/webmin-auth.conf +++ b/config/filter.d/webmin-auth.conf @@ -15,7 +15,7 @@ # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = webmin.* Non-existent login as .+ from $ diff --git a/config/filter.d/xinetd-fail.conf b/config/filter.d/xinetd-fail.conf index a60bffd5..e1c1e108 100644 --- a/config/filter.d/xinetd-fail.conf +++ b/config/filter.d/xinetd-fail.conf @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # # Cfr.: /var/log/(daemon\.|sys)log diff --git a/server/failregex.py b/server/failregex.py index 398817fd..0a5a0de4 100644 --- a/server/failregex.py +++ b/server/failregex.py @@ -44,7 +44,7 @@ class Regex: self._matchCache = None # Perform shortcuts expansions. # Replace "" with default regular expression for host. - regex = regex.replace("", "(?:::f{4,6}:)?(?P\S+)") + regex = regex.replace("", "(?:::f{4,6}:)?(?P[\w\-.^_]+)") if regex.lstrip() == '': raise RegexException("Cannot add empty regex") try: diff --git a/server/filter.py b/server/filter.py index bf5d34f8..16c82af4 100644 --- a/server/filter.py +++ b/server/filter.py @@ -492,7 +492,7 @@ import socket, struct class DNSUtils: - IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}") + IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$") #@staticmethod def dnsToIp(dns): diff --git a/testcases/filtertestcase.py b/testcases/filtertestcase.py index a90ec468..f738f34a 100644 --- a/testcases/filtertestcase.py +++ b/testcases/filtertestcase.py @@ -99,7 +99,7 @@ class GetFailures(unittest.TestCase): output = ('193.168.0.128', 3, 1124013599.0) self.__filter.addLogPath(GetFailures.FILENAME_01) - self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P\S*)") + self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) ") self.__filter.getFailures(GetFailures.FILENAME_01) @@ -116,7 +116,7 @@ class GetFailures(unittest.TestCase): output = ('141.3.81.106', 4, 1124013539.0) self.__filter.addLogPath(GetFailures.FILENAME_02) - self.__filter.addFailRegex("Failed .* (?:::f{4,6}:)(?P\S*)") + self.__filter.addFailRegex("Failed .* from ") self.__filter.getFailures(GetFailures.FILENAME_02) @@ -133,7 +133,7 @@ class GetFailures(unittest.TestCase): output = ('203.162.223.135', 6, 1124013544.0) self.__filter.addLogPath(GetFailures.FILENAME_03) - self.__filter.addFailRegex("error,relay=(?:::f{4,6}:)?(?P\S*),.*550 User unknown") + self.__filter.addFailRegex("error,relay=,.*550 User unknown") self.__filter.getFailures(GetFailures.FILENAME_03) @@ -151,7 +151,7 @@ class GetFailures(unittest.TestCase): ('212.41.96.185', 4, 1124013598.0)] self.__filter.addLogPath(GetFailures.FILENAME_04) - self.__filter.addFailRegex("Invalid user .* (?P\S*)") + self.__filter.addFailRegex("Invalid user .* ") self.__filter.getFailures(GetFailures.FILENAME_04)