guardian: Add upstream patch for HTTP parser.
Commit Message
Fixes #12289.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
lfs/guardian | 5 ++-
src/patches/guardian-2.0.2-http-parser.patch | 45 ++++++++++++++++++++
2 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 src/patches/guardian-2.0.2-http-parser.patch
Comments
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
> On 4 Feb 2020, at 07:59, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>
> Fixes #12289.
>
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
> lfs/guardian | 5 ++-
> src/patches/guardian-2.0.2-http-parser.patch | 45 ++++++++++++++++++++
> 2 files changed, 49 insertions(+), 1 deletion(-)
> create mode 100644 src/patches/guardian-2.0.2-http-parser.patch
>
> diff --git a/lfs/guardian b/lfs/guardian
> index a40480c0c..3e2c3347f 100644
> --- a/lfs/guardian
> +++ b/lfs/guardian
> @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP)
> TARGET = $(DIR_INFO)/$(THISAPP)
>
> PROG = guardian
> -PAK_VER = 18
> +PAK_VER = 19
>
> DEPS = "perl-inotify2 perl-Net-IP"
>
> @@ -79,6 +79,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE)
>
> + # Add upstream patches.
> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/guardian-2.0.2-http-parser.patch
> +
> # Adjust path for firewall binaries.
> cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm
>
> diff --git a/src/patches/guardian-2.0.2-http-parser.patch b/src/patches/guardian-2.0.2-http-parser.patch
> new file mode 100644
> index 000000000..1ecae658c
> --- /dev/null
> +++ b/src/patches/guardian-2.0.2-http-parser.patch
> @@ -0,0 +1,45 @@
> +commit 5028c7fde1fa15e4960f2fec3c025d0338382895
> +Author: Stefan Schantl <stefan.schantl@ipfire.org>
> +Date: Tue Feb 4 07:55:48 2020 +0100
> +
> + Parser: Adjust HTTP parser to be compatible with newer log format.
> +
> + Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> +
> +diff --git a/modules/Parser.pm b/modules/Parser.pm
> +index 3880228..bcca88f 100644
> +--- a/modules/Parser.pm
> ++++ b/modules/Parser.pm
> +@@ -302,7 +302,7 @@ sub message_parser_httpd (@) {
> + # been passed.
> + foreach my $line (@message) {
> + # This will catch brute-force attacks against htaccess logins (username).
> +- if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
> ++ if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) {
> + # Store the grabbed IP-address.
> + $address = $1;
> +
> +@@ -311,7 +311,7 @@ sub message_parser_httpd (@) {
> + }
> +
> + # Detect htaccess password brute-forcing against a username.
> +- elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
> ++ elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) {
> + # Store the extracted IP-address.
> + $address = $1;
> +
> +@@ -321,6 +321,14 @@ sub message_parser_httpd (@) {
> +
> + # Check if at least the IP-address information has been extracted.
> + if (defined ($address)) {
> ++ # Check if the address also contains a port value.
> ++ if ($address =~ m/:/) {
> ++ my ($add_address, $port) = split(/:/, $address);
> ++
> ++ # Only process the address.
> ++ $address = $add_address;
> ++ }
> ++
> + # Add the extracted values and event message to the actions array.
> + push(@actions, "count $address $name $message");
> + }
> --
> 2.25.0
>
@@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = guardian
-PAK_VER = 18
+PAK_VER = 19
DEPS = "perl-inotify2 perl-Net-IP"
@@ -79,6 +79,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE)
+ # Add upstream patches.
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/guardian-2.0.2-http-parser.patch
+
# Adjust path for firewall binaries.
cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm
new file mode 100644
@@ -0,0 +1,45 @@
+commit 5028c7fde1fa15e4960f2fec3c025d0338382895
+Author: Stefan Schantl <stefan.schantl@ipfire.org>
+Date: Tue Feb 4 07:55:48 2020 +0100
+
+ Parser: Adjust HTTP parser to be compatible with newer log format.
+
+ Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
+
+diff --git a/modules/Parser.pm b/modules/Parser.pm
+index 3880228..bcca88f 100644
+--- a/modules/Parser.pm
++++ b/modules/Parser.pm
+@@ -302,7 +302,7 @@ sub message_parser_httpd (@) {
+ # been passed.
+ foreach my $line (@message) {
+ # This will catch brute-force attacks against htaccess logins (username).
+- if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
++ if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) {
+ # Store the grabbed IP-address.
+ $address = $1;
+
+@@ -311,7 +311,7 @@ sub message_parser_httpd (@) {
+ }
+
+ # Detect htaccess password brute-forcing against a username.
+- elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
++ elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) {
+ # Store the extracted IP-address.
+ $address = $1;
+
+@@ -321,6 +321,14 @@ sub message_parser_httpd (@) {
+
+ # Check if at least the IP-address information has been extracted.
+ if (defined ($address)) {
++ # Check if the address also contains a port value.
++ if ($address =~ m/:/) {
++ my ($add_address, $port) = split(/:/, $address);
++
++ # Only process the address.
++ $address = $add_address;
++ }
++
+ # Add the extracted values and event message to the actions array.
+ push(@actions, "count $address $name $message");
+ }