9983a9b5c0
Closes: #12770 [via git-merge-pr] Signed-off-by: Jürgen Buchmüller <pullmoll@t-online.de>
180 lines
6.8 KiB
Diff
180 lines
6.8 KiB
Diff
diff --git src/parser/attack_parser.y src/parser/attack_parser.y
|
|
index 247adf3..a4d65c7 100644
|
|
--- src/parser/attack_parser.y
|
|
+++ src/parser/attack_parser.y
|
|
@@ -46,7 +46,7 @@ static void yyerror(attack_t *, const char *);
|
|
}
|
|
|
|
/* semantic values for tokens */
|
|
-%token <str> IPv4 IPv6 HOSTADDR WORD
|
|
+%token <str> IPv4 IPv6 IPv6_WITH_SUFFIX HOSTADDR WORD
|
|
%token <num> INTEGER SYSLOG_BANNER_PID SOCKLOG_BANNER_PID
|
|
|
|
/* flat tokens */
|
|
@@ -176,6 +176,12 @@ addr:
|
|
attack->address.kind = ADDRKIND_IPv6;
|
|
strcpy(attack->address.value, $1);
|
|
}
|
|
+ | IPv6_WITH_SUFFIX
|
|
+ {
|
|
+ attack->address.kind = ADDRKIND_IPv6;
|
|
+ char* percent = strchr($1, '%');
|
|
+ strncpy(attack->address.value, $1, percent - $1);
|
|
+ }
|
|
| HOSTADDR {
|
|
if (!attack_from_hostname(attack, $1)) {
|
|
YYABORT;
|
|
diff --git src/parser/attack_scanner.l src/parser/attack_scanner.l
|
|
index a32e9e6..50ad009 100644
|
|
--- src/parser/attack_scanner.l
|
|
+++ src/parser/attack_scanner.l
|
|
@@ -75,6 +75,7 @@ PROCESSNAME ([-_a-zA-Z0-9]{2,7})|([-_a-zA-Z0-9]{9,})|([-_a-rt-zA-RT-Z0-9][-_a-zA
|
|
IPV4 ((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]?|0)(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]?|0)){3})
|
|
/* IPv6 addresses including compressed variants (RFC 2373) */
|
|
IPV6 (::|:(:[0-9a-fA-F]{1,4}){1,7}|[0-9a-fA-F]{1,4}:([0-9a-fA-F]{1,4}:(:[0-9a-fA-F]{1,4}){1,5}|(:[0-9a-fA-F]{1,4}){1,6})|([0-9a-fA-F]{1,4}:){3}([0-9a-fA-F]{1,4}:(:[0-9a-fA-F]{1,4}){1,3}|(:[0-9a-fA-F]{1,4}){1,4})|([0-9a-fA-F]{1,4}:){5}([0-9a-fA-F]{1,4}:[0-9a-fA-F]{0,4}:[0-9a-fA-F]{1,4}|(:[0-9a-fA-F]{1,4}){1,2})|([0-9a-fA-F]{1,4}:){1,7}:)
|
|
+IFNAME %[^ \n]{1,15}
|
|
/* an IPv4 packed in IPv6 as IPv4-mapped IPv6 address */
|
|
IPV4MAPPED6 ((:(:0{1,4}){0,4}|0{1,4}:(:0{1,4}){1,3}|(0{1,4}:){2}(0{1,4}:0{0,4}:0{1,4}|(:0{1,4}){1,2})|(0{1,4}:){1,4}):[fF]{4}:(((2[0-4]|1[0-9]|[1-9])?[0-9]|25[0-5])\.){3}((2[0-4]|1[0-9]|[1-9])?[0-9]|25[0-5]))
|
|
|
|
@@ -270,6 +271,7 @@ WORDPRESS_LOGIN .*"/wp-login"(\.php)?
|
|
/* an IPv6 address */
|
|
/* standard | clouds implied | embedded IPv4 */
|
|
{IPV6} { yylval.str = yytext; return IPv6; }
|
|
+{IPV6}{IFNAME} { yylval.str = yytext; return IPv6_WITH_SUFFIX; }
|
|
|
|
/* an host address (PTR) */
|
|
{HOSTADDR} { yylval.str = yytext; return HOSTADDR; }
|
|
diff --git src/parser/attacks.txt src/parser/attacks.txt
|
|
index 8871bdf..c118ea7 100644
|
|
--- src/parser/attacks.txt
|
|
+++ src/parser/attacks.txt
|
|
@@ -1,13 +1,18 @@
|
|
Invalid user inexu from 6.6.6.0
|
|
Invalid user inexu from 2001:db8::a11:beef:7ac0
|
|
+Invalid user inexu from 2001:db8::a11:beef:7ac0%abcdefgh1234567
|
|
User mario from 6.6.6.0 not allowed because XYZ
|
|
User mario from 2001:db8::a11:beef:7ac0 not allowed because XYZ
|
|
+User mario from 2001:db8::a11:beef:7ac0%lo not allowed because XYZ
|
|
Failed XYZ for XYZ from 6.6.6.0 port 14423 ssh2
|
|
Failed XYZ for XYZ from 2001:db8::a11:beef:7ac0 port 14423 ssh2
|
|
+Failed XYZ for XYZ from 2001:db8::a11:beef:7ac0%enp3s0 port 14423 ssh2
|
|
error: PAM: authentication failure for mario from 6.6.6.0
|
|
error: PAM: authentication failure for mario from 2001:db8::a11:beef:7ac0
|
|
+error: PAM: authentication failure for mario from 2001:db8::a11:beef:7ac0%vbr1
|
|
Did not receive identification string from 6.6.6.0
|
|
Did not receive identification string from 2001:db8::a11:beef:7ac0
|
|
+Did not receive identification string from 2001:db8::a11:beef:7ac0%eth0
|
|
Bad protocol version identification XYZ from 6.6.6.0
|
|
Bad protocol version identification XYZ from 2001:db8::a11:beef:7ac0
|
|
authentication failure XYZ 6.6.6.0
|
|
diff --git src/parser/expected.txt src/parser/expected.txt
|
|
new file mode 100644
|
|
index 0000000..fa5bd8d
|
|
--- /dev/null
|
|
+++ src/parser/expected.txt
|
|
@@ -0,0 +1,85 @@
|
|
+100 6.6.6.0 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 6.6.6.0 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 6.6.6.0 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 6.6.6.0 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 6.6.6.0 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 6.6.6.0 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+230 6.6.6.0 4 10
|
|
+230 2001:db8::a11:beef:7ac0 6 10
|
|
+240 6.6.6.0 4 10
|
|
+240 2001:db8::a11:beef:7ac0 6 10
|
|
+250 6.6.6.0 4 10
|
|
+250 2001:db8::a11:beef:7ac0 6 10
|
|
+210 6.6.6.0 4 10
|
|
+210 2001:db8::a11:beef:7ac0 6 10
|
|
+200 6.6.6.0 4 10
|
|
+200 2001:db8::a11:beef:7ac0 6 10
|
|
+220 6.6.6.0 4 10
|
|
+220 2001:db8::a11:beef:7ac0 6 10
|
|
+300 6.6.6.0 4 10
|
|
+300 2001:db8::a11:beef:7ac0 6 10
|
|
+310 6.6.6.0 4 10
|
|
+310 2001:db8::a11:beef:7ac0 6 10
|
|
+320 6.6.6.0 4 10
|
|
+320 2001:db8::a11:beef:7ac0 6 10
|
|
+330 6.6.6.0 4 10
|
|
+330 2001:db8::a11:beef:7ac0 6 10
|
|
+260 199.19.110.207 4 10
|
|
+260 2001:db8::a11:beef:7ac0 6 10
|
|
+100 66.240.236.119 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 95.9.156.208 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 130.207.203.56 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 103.237.33.58 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+240 87.76.31.6 4 10
|
|
+240 2001:db8::a11:beef:7ac0 6 10
|
|
+240 10.0.0.1 4 10
|
|
+240 2001:db8::a11:beef:7ac0 6 10
|
|
+100 192.168.2.1 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 192.168.2.200 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+260 24.213.217.114 4 10
|
|
+260 2001:db8::a11:beef:7ac0 6 10
|
|
+100 117.81.26.226 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+100 190.50.238.98 4 10
|
|
+100 2001:db8::a11:beef:7ac0 6 10
|
|
+340 172.22.10.15 4 10
|
|
+340 2001:db8::a11:beef:7ac0 6 10
|
|
+100 172.22.10.15 4 10
|
|
+100 2001:db8::a11:beef:7ac1 6 10
|
|
+350 10.42.42.39 4 10
|
|
+360 10.42.42.40 4 10
|
|
+360 10.42.42.41 4 10
|
|
+360 10.42.42.42 4 10
|
|
+360 10.42.42.43 4 10
|
|
+360 2001:db8::a11:beef:7aa0 6 10
|
|
+360 10.42.42.44 4 10
|
|
+360 2001:db8::a11:beef:7aa1 6 10
|
|
+360 10.42.42.45 4 10
|
|
+100 10.42.42.42 4 10
|
|
+370 2001:db8::a11:b2ef:78f2 6 10
|
|
+370 10.42.57.1 4 10
|
|
+370 2001:db8::a11:beef:7aa2 6 10
|
|
+370 192.68.11.1 4 10
|
|
+370 192.68.11.1 4 10
|
|
+350 2001:db8::a11:beef:7aa3 6 10
|
|
+110 2001:db8::a11:beef:456e 6 10
|
|
+110 192.68.18.1 4 10
|
|
+110 192.68.18.2 4 10
|
|
+110 2001:db8::a11:beef:456f 6 10
|
|
diff --git src/parser/test-sshg-parser src/parser/test-sshg-parser
|
|
index 094dbe7..dbecead 100755
|
|
--- src/parser/test-sshg-parser
|
|
+++ src/parser/test-sshg-parser
|
|
@@ -1,12 +1,5 @@
|
|
#!/bin/sh
|
|
-file="attacks.txt"
|
|
-in_count=`wc -l $file | awk '{ print $1 }'`
|
|
-out_count=`./sshg-parser < $file | wc -l | awk '{ print $1 }'`
|
|
-if [ $in_count -ne $out_count ]; then
|
|
- exit 1
|
|
-fi
|
|
|
|
-not_out_count=`./sshg-parser < not-attacks.txt | wc -l | awk '{ print $1 }'`
|
|
-if [ 0 -ne $not_out_count ]; then
|
|
- exit 1
|
|
-fi
|
|
+cat attacks.txt | ./sshg-parser | diff -u expected.txt - || exit 1
|
|
+
|
|
+cat not-attacks.txt | ./sshg-parser | diff -u /dev/null - || exit 1
|