john
4d8ba7b668
fixed test log file
2017-09-04 11:36:55 +02:00
john
44c4496e49
added sample log files
2017-09-04 11:36:53 +02:00
john
08878d22dd
added zoneminder.conf filter
2017-09-04 11:36:50 +02:00
john
a90f6c4ae8
added zoneminder jail and filter
...
# Conflicts:
# config/jail.conf
2017-09-04 11:36:47 +02:00
sebres
c312962029
filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex ( d926e11a5c
)
...
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
Serg G. Brester
a287d0a05c
Merge pull request #1872 from kmzby/master
...
Added filter for phpMyAdmin+syslog
2017-08-25 12:22:58 +02:00
Pavel Mihadyuk
4c1abe1cbf
phpmyadmin-syslog: removed excess file, fixed test, updated failregex
2017-08-23 16:56:18 +03:00
Pavel Mihadyuk
d09304b897
phpmyadmin-syslog: added default jail config
2017-08-22 19:00:48 +03:00
Pavel Mihadyuk
41994fcb56
Added filter for phpMyAdmin+syslog (>=4.7.0)
2017-08-22 18:46:40 +03:00
Pavel Mihadyuk
5b4bc2aafd
Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713
2017-08-22 18:20:01 +03:00
Serg G. Brester
124e5587c6
Merge pull request #1869 from sebres/fix-gh-1389
...
action.d/bsd-ipfw.conf: replace not posix-compliant grep option
2017-08-18 15:43:05 +02:00
Serg G. Brester
b0e5efb631
bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout
2017-08-18 15:26:09 +02:00
sebres
3be32adefb
Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389).
2017-08-18 14:37:29 +02:00
Serg G. Brester
c540217844
Update ChangeLog
...
action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651)
2017-08-09 16:34:37 +02:00
Serg G. Brester
c0eb7752a8
Merge pull request #1651 from szepeviktor/patch-9
...
Introduce Cloudflare API v4
2017-08-09 16:28:52 +02:00
Serg G. Brester
2ed8a38eca
Update cloudflare.conf
...
Switch to API v1 to API v4 per default
2017-08-09 16:27:53 +02:00
Serg G. Brester
da7072d40e
Merge pull request #1846 from Chocobozzz/patch-3
...
Fix empty logfile.log in xarf login attack action
2017-08-09 16:21:47 +02:00
Serg G. Brester
af25a9d203
Merge pull request #1566 from opoplawski/journalmatch
...
Add sendmail journalmatch options
2017-08-09 16:14:10 +02:00
Orion Poplawski
84f552881c
Add sendmail journalmatch options
2017-08-09 16:03:34 +02:00
sebres
5c538fb658
Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).
2017-08-07 18:04:09 +02:00
Bigard Florian
f4551d02c9
Fix empty logfile.log in xarf login attack action
...
Fix empty 3rd MIME part which contains the attack evidence (logfile.log).
2017-07-25 13:44:29 +02:00
Serg G. Brester
babb76cb3c
Merge pull request #1839 from sebres/asterisk-patch
...
Asterisk improvements
2017-07-19 08:50:05 +02:00
sebres
a5b62a7f36
failregex extended and simplified (partially ported from gh-1409).
2017-07-18 16:34:22 +02:00
sebres
098abae4e6
Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now.
...
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
2017-07-18 16:09:53 +02:00
sebres
2ea22b9d30
test coverage for gh-1427
2017-07-18 15:46:53 +02:00
Kirill
4c0c7b97c0
Update asterisk.conf to new log message
...
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"
# [sebres] rebased to current master and resolving conflicts.
2017-07-18 15:40:32 +02:00
Serg G. Brester
99b668a3cc
Merge pull request #1390 from khumarahn/xxx
...
ensure /var/run/fail2ban is created in systemd service file
2017-07-11 15:53:42 +02:00
Serg G. Brester
5dcbcb99b9
Merge pull request #1648 from hlein/master
...
gentoo-initd: wait up to 30 seconds on "stop" to avoid errors.
2017-07-11 15:41:48 +02:00
Serg G. Brester
d05d9f4c28
Merge pull request #1816 from sebres/fix-gh-1302
...
filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed
2017-07-03 12:59:46 +02:00
sebres
a1d0633e69
filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
...
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
2017-07-03 12:57:28 +02:00
sebres
9f55ed86df
fixed testCymruInfoNxdomain (since cymru does not provide ASN mapping info for "10.0.0.0" anymore)
2017-07-03 12:41:54 +02:00
Serg G. Brester
205edff65d
Merge pull request #1690 from chtheis/master
...
#1689 : Make lowest rule number in action.d/bsd-ipfw.conf configurable
2017-07-01 17:16:50 +02:00
Serg G. Brester
f27e053592
Update bsd-ipfw.conf
...
increased starting rule number (lowest_rule_num = 111)
2017-07-01 17:10:53 +02:00
Serg G. Brester
001c0898d6
Merge branch 'master' into master
2017-06-30 18:07:38 +02:00
Serg G. Brester
6110ba9cc3
filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613)
2017-06-30 18:00:01 +02:00
Serg G. Brester
d54c40bba5
Merge pull request #1805 from sebres/fix-gh-1790
...
filter.d/apache-overflows.conf: rewritten without end-anchor ($)...
2017-06-15 11:48:45 +02:00
sebres
e1234a5249
ChangeLog update
2017-06-15 11:47:16 +02:00
sebres
2b358bc1a4
filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790).
2017-06-15 11:16:19 +02:00
Serg G. Brester
08591a52a4
Merge pull request #1796 from peternowee/fix-dovecot-empty-user
...
dovecot: revert `<[^>]+>` back to `<[^>]*>` - allows empty user again [mistakenly changed in 5678d08
]
2017-05-31 19:03:34 +02:00
Peter Nowee
b93e47b12f
dovecot: Match also when user field is empty
...
Commit 5678d08
of 2016-11-26 changed:
( user=<\S*>,)?
to:
( user=<[^>]+>,)?
The change from `*` (zero or more times) to `+` (one or more times) may
not have been intended. It will miss lines containing, for example:
Aborted login (tried to use disallowed plaintext auth): user=<>
This commit reverts the `+` back to `*`.
2017-05-31 15:54:30 +02:00
Serg G. Brester
5214c1c5d1
Update changelog (gh-1455)
2017-05-30 20:31:48 +02:00
Marcel Bischoff
228d25c548
Update Kerio Connect filter ( #1455 )
...
* Update Kerio Connect filter
Fixed regex for some log entries that did not get recognized and some additional error formats are added.
* Add missing colon, GitHub address
* Add filter tests
* Add missing test
2017-05-30 20:27:44 +02:00
sebres
c7ddf1f940
[systemd-backend] implicit closing journal descriptor by stop filter.
...
Partially cherry-picked from 0.10 (d153555a07
)
2017-05-19 15:36:06 +02:00
sebres
0a707d0302
Merge branch 'travis-fix-pypy'
2017-05-15 16:41:22 +02:00
sebres
f099558bcf
try to fix travis build for pypy3 (after switch to 'pypy3.3-5.2-alpha1' the test cases seems to never run anymore).
2017-05-15 16:32:41 +02:00
Filippo Tessarotto
ff1c6718da
Postfix RBL: 554 & SMTP
...
Cherry-pick of 607568f5da
(see gh-1686)
2017-05-15 14:42:37 +02:00
Yaroslav Halchenko
407b2ea936
life is going on
2017-05-11 11:17:27 -04:00
Yaroslav Halchenko
bc60d6feb6
Merge remote-tracking branch 'origin/master'
...
* origin/master:
exim test cases extended: cover short form of the logging (without session-id, gh-1771)
2017-05-11 11:13:07 -04:00
sebres
a5cdb9c977
exim test cases extended: cover short form of the logging (without session-id, gh-1771)
2017-05-11 09:10:45 +02:00
Yaroslav Halchenko
35280044ff
Preparing for 0.9.7 release
2017-05-10 21:38:57 -04:00