sebres
62b1712d22
amend to #2387 :
...
- common.conf: rewritten using section-based handling round about option logtype;
- option `logtype` extended with `rfc5424` to cover RFC 5424 log-format (see #2309 );
2019-07-09 21:48:43 +02:00
sebres
e268bf97d4
introduces new configuration parameter "logtype" (default "file" for file-backends, and "journal" for journal-backends);
...
common.conf: differentiate "__prefix_line" for file/journal logtype's (speedup and fix parsing of systemd-journal);
samplestestcase.py: extends testSampleRegexsFactory to allow coverage of journal logtype;
closes gh-2383: asterisk can log timestamp if logs into systemd-journal (regex extended with optional part matching this)
2019-03-29 14:23:57 +01:00
sebres
9ed35c423a
Merge branch '0.9' into 0.10 (gh-2317)
2019-02-21 20:13:54 +01:00
Yannik Sembritzki
6b4404b1bc
Fix asterisk filter not catching attackers when port is logged ( Fixes #2316 )
2019-01-03 23:55:42 +01:00
sebres
8c291cad38
filter.d/asterisk.conf: fixed failregex prefix by log over remote syslog server (gh-2060)
2018-03-02 09:17:04 +01:00
sebres
c30144b37a
Merge branch '0.9' into 0.10
...
# Conflicts:
# config/action.d/firewallcmd-ipset.conf
# config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
# fail2ban/client/jailreader.py
# fail2ban/helpers.py
2018-01-10 12:05:26 +01:00
Yannik Sembritzki
94f0b15c32
Allow faster parsing of hosts without ' characters in them
2018-01-08 14:54:32 +01:00
Yannik Sembritzki
b28dfb965a
Fix filter not catching asterisk requests with quote character in username ( fixes #2010 )
2018-01-03 18:39:30 +01:00
sebres
0e66e3cc57
Merge branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
2017-10-18 19:00:23 +02:00
Michael Newton
d5d1fe679f
Remove invalid regex
...
Resolves #1927
2017-10-17 14:44:23 -07:00
sebres
1a562bed0f
Merge remote-tracking branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
2017-07-19 08:57:23 +02:00
sebres
a5b62a7f36
failregex extended and simplified (partially ported from gh-1409).
2017-07-18 16:34:22 +02:00
sebres
098abae4e6
Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now.
...
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
2017-07-18 16:09:53 +02:00
Kirill
4c0c7b97c0
Update asterisk.conf to new log message
...
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"
# [sebres] rebased to current master and resolving conflicts.
2017-07-18 15:40:32 +02:00
sebres
546cd55342
Merge branch 'master' into 0.10
2017-07-03 13:02:25 +02:00
sebres
a1d0633e69
filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
...
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
2017-07-03 12:57:28 +02:00
sebres
22afdbd536
Several filters optimized with pre-filtering using new option `prefregex`
2017-02-21 15:54:59 +01:00
sebres
ab0ac2111c
added possibility to specify more precise default date pattern:
...
- `datepattern = {^LN-BEG}` - only line-begin anchored default patterns
(matches date only at begin of line, or with max distance up to 2 non-alphanumeric characters from line-begin);
- `datepattern = {*WD-BEG}` - only word-begin anchored default patterns;
- `datepattern = ^prefix{DATE}suffix` - exact specified default patterns (using prefix and suffix);
common filter configs gets a more precise, line-begin anchored (datepattern = {^LN-BEG}) resp. custom anchoring default date-patterns;
2016-10-17 11:18:30 +02:00
sebres
4a1d720344
filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix
2016-08-22 14:10:50 +02:00
sebres
f5f204ca7c
Improved changes of gh-1458:
...
`[^']*` after callid was wrong, changed to `[^\)]*`;
regexp anchored at the end;
almost the same regex grouped to one;
Closes #1458
2016-07-08 11:45:25 +02:00
nturcksin
72a157b8f2
Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458)
...
Change the asterisk pjsip filter to don't take the callId part
Add optional part between "Request" and "from"
Listed all log message from asterisk
2016-07-08 11:45:22 +02:00
Ludovic Gasc
f85fb45b29
Asterisk pjsip ( #1456 )
...
* Improve PJSIP log support for Asterisk 13+
* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+
* Change pjsip regexp with sebres observation, thanks to @nturcksin
2016-06-07 11:40:35 +02:00
sebres
cb4f9be8b2
the date brackets removed from filters using `__prefix_line`, because `__prefix_line` already contains the date ambit;
2016-05-17 11:55:02 +02:00
sebres
d8e81eb417
regexp rewritten (few vulnerable as previous) + test case added
2016-02-08 12:01:25 +01:00
3eBoP
257b7049d8
Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number.
...
Closes #1309
2016-02-08 11:51:37 +01:00
Ivan Poddubny
7a4e6fa6e5
Asterisk security log: add support for websocket protocol events
...
Thanks to @kcormier.
2015-05-25 08:13:30 +03:00
Ivan Poddubny
988d9a08da
Asterisk security log: accept events containing Response/ExpectedResponse
...
Event containing Challenge may come without ReceivedChallenge, but with
Response and ExpectedResponse.
Also Challenge now accepts '/' character, since it is used at least by PJSIP.
2015-05-25 08:12:51 +03:00
Ivan Poddubny
189265a323
Asterisk security log: accept SessionID of PJSIP events
...
Unlike chan_sip and manager, PJSIP populates SessionID using
Call-Id header of a related SIP message.
As Call-Id of a SIP message can contain almost anything,
the regular expression for SessionID has been loosened.
2015-05-25 08:11:34 +03:00
Ivan Poddubny
ab2ac1a367
Asterisk security log: accept <unknown> in AccountID
2015-05-24 12:47:55 +03:00
Ivan Poddubny
977f9955e7
Asterisk security log: accept EventTV in ISO8601
...
Asterisk uses ISO8601 dates in security log since version 12.
Closes #988
2015-05-24 12:46:54 +03:00
Lee Clemens
72f4bcfbff
Match hacking attempt IP instead of asterisk server IP ( closes #1000 )
2015-03-24 19:03:26 -04:00
Daniel Black
77fda9498c
ENH: pull asterisk filter change to support syslog from 0.9 branch
2014-03-14 23:15:46 +11:00
Tomas Pihl
b52a4441fd
Support ACL-events without AccountID. Typically happens when a registration
...
from an unknown domain is performed.
Add credits
2014-01-12 01:28:55 +01:00
Daniel Black
eb9663eb4f
BF/ENH: asterisk connection ID is a hex not decimal number. Add "Rejecting unknown SIP connection from <HOST>" regex thanks to Jonathan Lanning
2013-11-12 09:22:41 +11:00
Daniel Black
d7560d4041
ENH: condense asterisk regexs for speed
2013-11-08 10:24:50 +11:00
Daniel Black
89fd792dfb
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page
2013-10-31 00:02:59 +11:00
Jamyn Shanley
8936f2cd02
fail2ban-users: Sebastian Arcus - Detect device auth failures on Asterisk 11
2013-07-27 00:06:06 +00:00
Daniel Black
619603fe05
BF: match asterisk InvalidPassword correctly
2013-07-07 17:48:20 +10:00
Daniel Black
0086a7edab
ENH: missed a $
2013-06-29 11:30:37 +10:00
Daniel Black
fa7a105483
ENH: filter.d/asterisk - consolidate log prefix regex and add a few fail messages
2013-06-27 09:16:14 +10:00
Yaroslav Halchenko
09302c5c25
ENH: asterisk -- use \S instead of [^:] + prefix failregex with ^\[
...
detected date portion is stripped from the string to be matched, so it is not only
the right ] is left, but also the left one ;-)
2013-06-13 23:15:48 -04:00
Daniel Black
6a09ecff5c
ENH: anchor a bit mor. Use \d and \w where possible. Escape a literal .
2013-06-14 08:41:50 +10:00
Carlos Alberto Lopez Perez
47b063b022
Filter Asterisk: Add AUTH_UNKNOWN_DOMAIN error to list
...
* I have been seeing bruteforcing attempts where asterisk fails with
AUTH_UNKNOWN_DOMAIN (Not a local domain)
2013-06-10 19:50:35 +02:00
Daniel Black
05c88bd85d
ENH: purge a few more .*
2013-05-30 11:34:04 +10:00
Daniel Black
4cf402d60e
ENH/BF: constrain regex. Fix ACL error regex
2013-05-30 10:15:58 +10:00
Daniel Black
0f7b609336
ENH: port optional
2013-05-30 09:43:39 +10:00
silviogarbes
5c8fb68a2c
Update asterisk.conf
...
Para ficar compatível com asterisk 11
2013-05-14 08:04:11 -03:00
Daniel Black
495f2dd877
DOC: purge of svn tags
2013-05-03 16:03:38 +10:00
Xavier Devlamynck
8c00ce0a65
Add the INCLUDE section to use __pid_re feature
2012-02-28 17:28:06 +01:00
Xavier Devlamynck
c679a1a588
Change NOTICE by NOTICE%(__pid_re)s
2012-02-21 18:05:53 +01:00