From f2ae20a3b889df7d996130fb9aba22aab7eebe6b Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sun, 29 Sep 2013 17:44:45 +1000
Subject: [PATCH] BF: filter.d/sshd group on md5hex and () for serial needed to
 be escaped

---
 config/filter.d/sshd.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 17760c33..8b8c660f 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -23,11 +23,11 @@ _daemon = sshd
 # Values:  TEXT
 #
 #
-md5hex = [\da-f]{2}:){15}[\da-f]{2}
+md5hex = ([\da-f]{2}:){15}[\da-f]{2}
 
 failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
             ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
-            ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ (serial \d+) CA )?\S+ (%(md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$
+            ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$
             ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
             ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$