13520a0494
Merge branch '0.11'
2022-02-09 15:45:17 +01:00
f380d6202d
cherry pick #3210 from master
2022-02-09 15:43:21 +01:00
498e473a10
filter.d/courier-auth.conf: consider optional port after IP, regex is rewritten without catch-all's and right anchor, so it is more stable against further modifications now;
...
closes #3211
2022-02-09 12:18:23 +01:00
810386a265
filter.d/dovecot.conf: parse everything in parenthesis by auth-worker info, e. g. can match (pid=...,uid=...) too
...
(amend to 92f90038fa
2022-02-08 19:21:37 +01:00
dfc866ea41
improve RE to solve conflict with expected another open parenthesis
2022-01-27 17:50:28 +01:00
0f1706d4a1
Adjusting for updated dovecot log format
...
This should now match:
`Disconnected: Connection closed: read(size=1003) failed: Connection reset by peer (auth failed, 1 attempts in 0 secs): user=<sales@karolyi.hu>, rip=183.111.188.94, lip=127.0.0.19, session=<Lsz0Oo7WXti3b7xe>`
the issue is the `read(size=1003)` that probably has been added lately and which causes the rule not to discover the log message.
2022-01-27 11:28:20 +00:00
970573d1cb
Merge branch '0.11'
2022-01-18 16:17:49 +01:00
bf689c27b8
filter.d/sshd.conf: `ddos` mode extended - recognizes messages "kex_exchange_identification: Connection closed / reset by pear" (fixed possible regression of f77398c49d);
...
closes gh-3086
2022-01-18 15:42:35 +01:00
8bf15db688
filter.d/sshd.conf: `ddos` mode extended - recognizes new message "banner exchange: invalid format" generated by port scanner, https payload on ssh port;
...
closes gh-3169
2022-01-18 15:41:27 +01:00
80805cabfc
Merge branch '0.11'
2021-11-03 16:01:00 +01:00
ba839af8ad
filter.d/lighttpd-auth.conf: adjusted to the current source code + avoiding catch-all's, etc (gh-3116)
2021-10-01 15:03:24 +02:00
579c6a94af
filter.d/postfix.conf: mode `ddos` (and `aggressive`) extended to consider abusive handling of clients hitting command limit (gh-3040)
2021-06-10 15:23:24 +02:00
43f2923fbd
filter.d/postfix.conf: matches rejects with "undeliverable address" (sender/recipient verification, gh-3039) additionally to "Unknown user";
...
both are configurable now via extended parameter and can be disabled using `exre-user=` supplied in filter parameters
2021-06-10 15:06:54 +02:00
38535b0cca
Merge branch '0.11' into master
2021-05-29 21:25:24 +02:00
92f90038fa
filter.d/dovecot.conf: extended to match prefix like `conn unix:auth-worker (uid=143): auth-worker<13247>:` (authenticate from external service like exim), gh-2553
2021-05-29 21:12:34 +02:00
8b984a0135
filter.d\exim-common.conf: pid-prefix extended to match `mx1 exim[...]:` (gh-2553)
2021-05-29 20:47:56 +02:00
6be1a5a0b1
filter.d/dovecot.conf: fixed "Authentication failure" regex, matches "Password mismatch" in title case (gh-2880)
2021-05-29 20:25:28 +02:00
8afea37494
filter.d/sendmail-auth.conf: covering several "authentication failure" messages, sendmail 8.16.1 (gh-2757)
2021-05-29 20:09:57 +02:00
c5f1598a21
filter.d/postfix.conf: extended to cover new vectors:
...
- reject: BDAT/DATA from (gh-2927)
- (since regex is more precise now) token selector changed to `[A-Z]{4}`, e. g. no matter what a command is supplied now (RCPT, EHLO, VRFY, DATA, BDAT or something else)
- matches "Command rejected" and "Data command rejected" now
2021-05-29 19:48:24 +02:00
ae3e9b9149
filter.d/postfix.conf: extended to cover 2 new vectors:
...
- RCPT from unknown, 504 5.5.2, need fully-qualified hostname, gh-2995
- 550 5.7.25 Client host rejected, gh-2996
review combining several regex to single one
2021-05-29 19:21:27 +02:00
87f717e0e0
filter.d/sendmail-reject.conf: fix reverse DNS for ... (gh-3012)
2021-05-29 18:45:59 +02:00
3d52fe3e4e
Merge pull request #2679 from mikaku/updated-to-latest-jail.conf
...
Add new jail (and filter) Monitorix
2021-05-27 12:17:16 +02:00
0a05dbdbfc
Merge branch '0.11' into master
2021-05-25 23:19:25 +02:00
1627d4f573
filter.d/sendmail-auth.conf: user not found, closes gh-3030
2021-05-25 23:16:29 +02:00
f07e0f7ade
Merge pull request #2984 from j-marz/zoneminder_filter_update
...
Zoneminder filter update
2021-05-21 13:03:33 +02:00
ec4e0dd65b
padding with space, prefregex, regex review (simplifying, capture user name, consider possible space char in user name)
2021-05-21 13:00:24 +02:00
2367ad115c
fixed typo in comment
2021-05-20 09:15:45 +10:00
3f9cf27853
filter.d/apache-fakegooglebot.conf: better, more precise regex and datepattern (closes possible weakness like #3013 )
2021-05-11 13:47:48 +02:00
71ce548117
Merge branch '0.11'
2021-04-27 14:05:53 +02:00
f0214b3d36
filter.d/sendmail-reject.conf: fixed regex to consider "Connection rate limit exceeded" with different combination of arguments
2021-04-20 18:13:40 +02:00
ab0847e2d5
more precise anchored RE (also combining all 3 REs in a single regex)
2021-04-14 13:06:58 +02:00
7d173b7ce0
Merge branch 'master' into updated-to-latest-jail.conf
2021-04-13 20:24:08 +02:00
dda70d60c0
Merge branch 'master' into master
2021-04-04 00:04:08 +02:00
4eba9f2a4b
Merge pull request #2950 from sunweaver/pr/scanlogd-filter
...
Add support for filtering out detected port scans via scanlogd.
2021-04-03 23:36:14 +02:00
977dfe4bd7
small amend: sport after saddr is optional
...
format of message: saddr[:sport] to daddr [and others,] ports port[, port...], ..., flags[, TOS TOS][, TTL TTL] @HH:MM:SS
2021-04-03 23:29:16 +02:00
14edeed310
fixed regex (don't need to match whole line, e. g. every port etc)
2021-04-03 23:24:55 +02:00
080dd12288
Merge pull request #2965 from oukb/patch-1
...
nsd.conf: fix for the current log format
2021-04-03 21:02:03 +02:00
a838deba7f
restore anchor (e. g. catch all in the middle), dot is optional now, RE rewritten a bit more precise
2021-04-03 21:00:14 +02:00
7f38b80d35
precise regex (left anchor and fewer catch-all's); fixed tests (added failJSON and more tests for some corner-cases around new RE)
2021-04-03 20:16:47 +02:00
9eaa2322b0
Filter and Defaults for Microsoft SQL Server
2021-04-03 19:30:29 +02:00
5aa20c30d8
fix: add journalmatch to nginx filters
2021-04-03 19:20:50 +02:00
5d8f500471
updated formatting to pass tests
2021-03-29 08:36:53 +11:00
2686811593
Updated zoneminder filter
...
Support new log format, ERR instead of WAR. Add detection of non-existent user login attempts
2021-03-28 21:19:10 +11:00
529866b2bb
nsd.conf: fix for the current log format
...
New nsd 4.3.5 log format:
| [2021-03-05 05:25:14.562] nsd[160800]: info: axfr for example.com. from 192.35.168.32 refused, no acl matches
| [2021-03-06 05:24:33.223] nsd[356033]: info: axfr for localhost. from 192.35.168.160 refused, no acl matches
| [2021-03-07 05:23:26.641] nsd[547893]: info: axfr for example.com. from 192.35.168.64 refused, no acl matches
| [2021-03-08 05:18:54.067] nsd[739606]: info: axfr for example.com. from 192.35.168.32 refused, no acl matches
2021-03-08 19:14:28 +03:00
f15ed35619
config/: Add support for filtering out detected port scans via scanlogd.
2021-03-05 16:35:13 +01:00
fb08534ed7
Merge branch '0.11'
2021-03-03 18:17:35 +01:00
a45b1c974c
filter.d/ignorecommands/apache-fakegooglebot: added timeout parameter (default 55 seconds) - avoid fail with timeout (default 1 minute) by reverse lookup on some slow DNS services (googlebots must be resolved fast);
...
closes gh-2951
2021-03-02 19:35:27 +01:00
a2f0dbad87
Merge pull request #2742 from aresxc/patch-1
...
Update drupal-auth.conf
2021-02-11 19:10:55 +01:00
d678440658
more precise RE (avoids weakness with catch-all's and is injection safe)
2021-02-11 18:32:32 +01:00
dc4ee5aa47
Add transport to asterisk RE
...
Call rejection messages from Asterisk can have the transport prefixed to the IP address.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
2021-01-31 15:22:16 +01:00
sebres