From 2d4b82c67005070599651c8910f0934903618e4c Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Thu, 10 Sep 2009 10:41:09 -0400 Subject: [PATCH 1/4] BF: escaping (). Thanks Teodor (Closes: #544744) --- config/filter.d/pure-ftpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf index fbbfc2d1..345780dc 100644 --- a/config/filter.d/pure-ftpd.conf +++ b/config/filter.d/pure-ftpd.conf @@ -19,7 +19,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = pure-ftpd(?:\[\d+\])?: (.+?@) \[WARNING\] %(__errmsg)s \[.+\]$ +failregex = pure-ftpd(?:\[\d+\])?: \(.+?@\) \[WARNING\] %(__errmsg)s \[.+\]\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 3389184f410720f37695b367a51c2414d3f4b722 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Thu, 10 Sep 2009 11:15:38 -0400 Subject: [PATCH 2/4] BF: be able to detect time for VNC recording only 2 letters of year (closes: #537610) --- server/datedetector.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/server/datedetector.py b/server/datedetector.py index 6ee6870d..b67b49ba 100644 --- a/server/datedetector.py +++ b/server/datedetector.py @@ -71,6 +71,13 @@ class DateDetector: template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}") template.setPattern("%d/%m/%Y %H:%M:%S") self.__templates.append(template) + # previous one but with year given by 2 digits + # (See http://bugs.debian.org/537610) + template = DateStrptime() + template.setName("Day/Month/Year Hour:Minute:Second") + template.setRegex("\d{2}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}") + template.setPattern("%d/%m/%y %H:%M:%S") + self.__templates.append(template) # Apache format [31/Oct/2006:09:22:55 -0000] template = DateStrptime() template.setName("Day/MONTH/Year:Hour:Minute:Second") From 7721695f444946a31de58904d549c848278835ee Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Thu, 9 Jul 2009 00:20:53 -0400 Subject: [PATCH 3/4] BF: Allow for trailing spaces in proftpd logs (closes: #507986) --- config/filter.d/proftpd.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index ec613b94..eb43a14d 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -14,10 +14,10 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ - \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ - \(\S+\[\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ - \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ +failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$ + \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\. *$ + \(\S+\[\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$ + \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 5ed0f7f90aa748e1d64879d1b81df447702cc190 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Thu, 10 Sep 2009 12:04:42 -0400 Subject: [PATCH 4/4] BF: proftpd filter -- if login failed -- count regardless of the reason for failure --- config/filter.d/proftpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index eb43a14d..55a15da9 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -15,7 +15,7 @@ # Values: TEXT # failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$ - \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\. *$ + \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): .*$ \(\S+\[\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$ \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$