From patchwork Tue Feb  4 07:59:33 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Schantl <stefan.schantl@ipfire.org>
X-Patchwork-Id: 2750
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 48BcYL1wDxz3xYC
	for <patchwork@web04.haj.ipfire.org>; Tue,  4 Feb 2020 07:59:50 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 48BcYH6MXzz6PY;
	Tue,  4 Feb 2020 07:59:47 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 48BcYG0yL5z2yXw;
	Tue,  4 Feb 2020 07:59:46 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 48BcY94NVlz2xbB
 for <development@lists.ipfire.org>; Tue,  4 Feb 2020 07:59:41 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 48BcY827ZBz2Hw;
 Tue,  4 Feb 2020 07:59:40 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909ed25519; t=1580803180;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=2+LvniTNkn2ho/KJD9dt7h8NCg+O2yzjlhuO6DbMNZA=;
 b=MXRZ9q4GfHLckYtANqEhvPXfr6t3O1epKNOUtEtC9sYyP8Lv5S1Jx27aui/E0kt9+OHuHO
 54wWqzpy6N6V5eAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
 t=1580803180;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=2+LvniTNkn2ho/KJD9dt7h8NCg+O2yzjlhuO6DbMNZA=;
 b=TMKrP4Taeq9VeVcDlcyIOpt4T8p5eqo1WSPBW46S6Cw7sYGmtqZsrvEme0ulQbZjhd8AOK
 KNdnjOHwQdyasxoYcBBvaAo35nqWW4pANGRy1ySrdzPyKR6Guh12If5Oj+pPmPPiRV2PTu
 HVckULGwJXOQ728D8V1Ei3OHacwZGbOrr0wdnsnZJZy/HsaihvYbecrK79SkPTMFjKq7Q4
 deXhr4kA9qcfsqCWhXS0s8W6kg1B+zQ1noamaSdg6rWbUo78Ac8vkLKCysh0h53uM3xxX5
 xBvKW/VlQ4mL9/5/wPivtjSS//ojnjlYx78P3xCeJl+xcx6P6T6ACykxDu6ulQ==
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] guardian: Add upstream patch for HTTP parser.
Date: Tue,  4 Feb 2020 08:59:33 +0100
Message-Id: <20200204075933.21338-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.mailfrom=stefan.schantl@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Fixes #12289.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/guardian                                 |  5 ++-
 src/patches/guardian-2.0.2-http-parser.patch | 45 ++++++++++++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 src/patches/guardian-2.0.2-http-parser.patch

diff --git a/lfs/guardian b/lfs/guardian
index a40480c0c..3e2c3347f 100644
--- a/lfs/guardian
+++ b/lfs/guardian
@@ -33,7 +33,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 
 PROG       = guardian
-PAK_VER    = 18
+PAK_VER    = 19
 
 DEPS       = "perl-inotify2 perl-Net-IP"
 
@@ -79,6 +79,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE)
 
+	# Add upstream patches.
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/guardian-2.0.2-http-parser.patch
+
 	# Adjust path for firewall binaries.
 	cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm
 
diff --git a/src/patches/guardian-2.0.2-http-parser.patch b/src/patches/guardian-2.0.2-http-parser.patch
new file mode 100644
index 000000000..1ecae658c
--- /dev/null
+++ b/src/patches/guardian-2.0.2-http-parser.patch
@@ -0,0 +1,45 @@
+commit 5028c7fde1fa15e4960f2fec3c025d0338382895
+Author: Stefan Schantl <stefan.schantl@ipfire.org>
+Date:   Tue Feb 4 07:55:48 2020 +0100
+
+    Parser: Adjust HTTP parser to be compatible with newer log format.
+    
+    Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
+
+diff --git a/modules/Parser.pm b/modules/Parser.pm
+index 3880228..bcca88f 100644
+--- a/modules/Parser.pm
++++ b/modules/Parser.pm
+@@ -302,7 +302,7 @@ sub message_parser_httpd (@) {
+ 	# been passed.
+ 	foreach my $line (@message) {
+ 		# This will catch brute-force attacks against htaccess logins (username).
+-		if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
++		if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) {
+ 			# Store the grabbed IP-address.
+ 			$address = $1;
+ 
+@@ -311,7 +311,7 @@ sub message_parser_httpd (@) {
+ 		}
+ 
+ 		# Detect htaccess password brute-forcing against a username.
+-		elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
++		elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) {
+ 			# Store the extracted IP-address.
+ 			$address = $1;
+ 
+@@ -321,6 +321,14 @@ sub message_parser_httpd (@) {
+ 
+ 		# Check if at least the IP-address information has been extracted.
+ 		if (defined ($address)) {
++			# Check if the address also contains a port value.
++			if ($address =~ m/:/) {
++				my ($add_address, $port) = split(/:/, $address);
++
++				# Only process the address.
++				$address = $add_address;
++			}
++
+ 			# Add the extracted values and event message to the actions array.
+ 			push(@actions, "count $address $name $message");
+ 		}