ENH: tune up sshd-ddos to use common.conf and allow training spaces

config/filter.d/sshd-ddos.conf

@@ -2,11 +2,17 @@
 #
 # Author: Yaroslav Halchenko
 #
-# $Revision$
-#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
 
 [Definition]
 
+_daemon = sshd
+
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
@@ -14,7 +20,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
+failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

testcases/files/logs/sshd-ddos

@@ -0,0 +1,2 @@
+# http://forums.powervps.com/showthread.php?t=1667
+Jun 7 01:10:56 host sshd[5937]: Did not receive identification string from 69.61.56.114