sebres
9e28b6c65f
filter.d/asterisk.conf: relaxing protocol RE-part before IP in RemoteAddress (gh-2531)
5 years ago
sebres
62b1712d22
amend to #2387 :
...
- common.conf: rewritten using section-based handling round about option logtype;
- option `logtype` extended with `rfc5424` to cover RFC 5424 log-format (see #2309 );
5 years ago
sebres
e268bf97d4
introduces new configuration parameter "logtype" (default "file" for file-backends, and "journal" for journal-backends);
...
common.conf: differentiate "__prefix_line" for file/journal logtype's (speedup and fix parsing of systemd-journal);
samplestestcase.py: extends testSampleRegexsFactory to allow coverage of journal logtype;
closes gh-2383: asterisk can log timestamp if logs into systemd-journal (regex extended with optional part matching this)
6 years ago
sebres
9ed35c423a
Merge branch '0.9' into 0.10 (gh-2317)
6 years ago
Yannik Sembritzki
6b4404b1bc
Fix asterisk filter not catching attackers when port is logged ( Fixes #2316 )
6 years ago
sebres
8c291cad38
filter.d/asterisk.conf: fixed failregex prefix by log over remote syslog server (gh-2060)
7 years ago
sebres
c30144b37a
Merge branch '0.9' into 0.10
...
# Conflicts:
# config/action.d/firewallcmd-ipset.conf
# config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
# fail2ban/client/jailreader.py
# fail2ban/helpers.py
7 years ago
Yannik Sembritzki
94f0b15c32
Allow faster parsing of hosts without ' characters in them
7 years ago
Yannik Sembritzki
b28dfb965a
Fix filter not catching asterisk requests with quote character in username ( fixes #2010 )
7 years ago
sebres
0e66e3cc57
Merge branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
7 years ago
Michael Newton
d5d1fe679f
Remove invalid regex
...
Resolves #1927
7 years ago
sebres
1a562bed0f
Merge remote-tracking branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
7 years ago
sebres
a5b62a7f36
failregex extended and simplified (partially ported from gh-1409).
7 years ago
sebres
098abae4e6
Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now.
...
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
7 years ago
Kirill
4c0c7b97c0
Update asterisk.conf to new log message
...
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"
# [sebres] rebased to current master and resolving conflicts.
7 years ago
sebres
546cd55342
Merge branch 'master' into 0.10
8 years ago
sebres
a1d0633e69
filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
...
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
8 years ago
sebres
22afdbd536
Several filters optimized with pre-filtering using new option `prefregex`
8 years ago
sebres
ab0ac2111c
added possibility to specify more precise default date pattern:
...
- `datepattern = {^LN-BEG}` - only line-begin anchored default patterns
(matches date only at begin of line, or with max distance up to 2 non-alphanumeric characters from line-begin);
- `datepattern = {*WD-BEG}` - only word-begin anchored default patterns;
- `datepattern = ^prefix{DATE}suffix` - exact specified default patterns (using prefix and suffix);
common filter configs gets a more precise, line-begin anchored (datepattern = {^LN-BEG}) resp. custom anchoring default date-patterns;
8 years ago
sebres
4a1d720344
filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix
8 years ago
sebres
f5f204ca7c
Improved changes of gh-1458:
...
`[^']*` after callid was wrong, changed to `[^\)]*`;
regexp anchored at the end;
almost the same regex grouped to one;
Closes #1458
9 years ago
nturcksin
72a157b8f2
Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458)
...
Change the asterisk pjsip filter to don't take the callId part
Add optional part between "Request" and "from"
Listed all log message from asterisk
9 years ago
Ludovic Gasc
f85fb45b29
Asterisk pjsip ( #1456 )
...
* Improve PJSIP log support for Asterisk 13+
* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+
* Change pjsip regexp with sebres observation, thanks to @nturcksin
9 years ago
sebres
cb4f9be8b2
the date brackets removed from filters using `__prefix_line`, because `__prefix_line` already contains the date ambit;
9 years ago
sebres
d8e81eb417
regexp rewritten (few vulnerable as previous) + test case added
9 years ago
3eBoP
257b7049d8
Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number.
...
Closes #1309
9 years ago
Ivan Poddubny
7a4e6fa6e5
Asterisk security log: add support for websocket protocol events
...
Thanks to @kcormier.
10 years ago
Ivan Poddubny
988d9a08da
Asterisk security log: accept events containing Response/ExpectedResponse
...
Event containing Challenge may come without ReceivedChallenge, but with
Response and ExpectedResponse.
Also Challenge now accepts '/' character, since it is used at least by PJSIP.
10 years ago
Ivan Poddubny
189265a323
Asterisk security log: accept SessionID of PJSIP events
...
Unlike chan_sip and manager, PJSIP populates SessionID using
Call-Id header of a related SIP message.
As Call-Id of a SIP message can contain almost anything,
the regular expression for SessionID has been loosened.
10 years ago
Ivan Poddubny
ab2ac1a367
Asterisk security log: accept <unknown> in AccountID
10 years ago
Ivan Poddubny
977f9955e7
Asterisk security log: accept EventTV in ISO8601
...
Asterisk uses ISO8601 dates in security log since version 12.
Closes #988
10 years ago
Lee Clemens
72f4bcfbff
Match hacking attempt IP instead of asterisk server IP ( closes #1000 )
10 years ago
Daniel Black
77fda9498c
ENH: pull asterisk filter change to support syslog from 0.9 branch
11 years ago
Tomas Pihl
b52a4441fd
Support ACL-events without AccountID. Typically happens when a registration
...
from an unknown domain is performed.
Add credits
11 years ago
Daniel Black
eb9663eb4f
BF/ENH: asterisk connection ID is a hex not decimal number. Add "Rejecting unknown SIP connection from <HOST>" regex thanks to Jonathan Lanning
11 years ago
Daniel Black
d7560d4041
ENH: condense asterisk regexs for speed
11 years ago
Daniel Black
89fd792dfb
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page
11 years ago
Jamyn Shanley
8936f2cd02
fail2ban-users: Sebastian Arcus - Detect device auth failures on Asterisk 11
12 years ago
Daniel Black
619603fe05
BF: match asterisk InvalidPassword correctly
12 years ago
Daniel Black
0086a7edab
ENH: missed a $
12 years ago
Daniel Black
fa7a105483
ENH: filter.d/asterisk - consolidate log prefix regex and add a few fail messages
12 years ago
Yaroslav Halchenko
09302c5c25
ENH: asterisk -- use \S instead of [^:] + prefix failregex with ^\[
...
detected date portion is stripped from the string to be matched, so it is not only
the right ] is left, but also the left one ;-)
12 years ago
Daniel Black
6a09ecff5c
ENH: anchor a bit mor. Use \d and \w where possible. Escape a literal .
12 years ago
Carlos Alberto Lopez Perez
47b063b022
Filter Asterisk: Add AUTH_UNKNOWN_DOMAIN error to list
...
* I have been seeing bruteforcing attempts where asterisk fails with
AUTH_UNKNOWN_DOMAIN (Not a local domain)
12 years ago
Daniel Black
05c88bd85d
ENH: purge a few more .*
12 years ago
Daniel Black
4cf402d60e
ENH/BF: constrain regex. Fix ACL error regex
12 years ago
Daniel Black
0f7b609336
ENH: port optional
12 years ago
silviogarbes
5c8fb68a2c
Update asterisk.conf
...
Para ficar compatível com asterisk 11
12 years ago
Daniel Black
495f2dd877
DOC: purge of svn tags
12 years ago
Xavier Devlamynck
8c00ce0a65
Add the INCLUDE section to use __pid_re feature
13 years ago