[Logcheck-commits] [logcheck] 01/01: i.d.s/ssh: adjust 'Bad protocol version identification' rule

Sat Jan 14 09:16:41 UTC 2017

This is an automated email from the git hooks/post-receive script.

hvhaugwitz pushed a commit to branch master
in repository logcheck.

commit e3e5249e5ba650e15fce62f5e40b2c5f25b6ed2d
Author: Hannes von Haugwitz <hannes at vonhaugwitz.com>
Date:   Sat Jan 14 10:12:38 2017 +0100

    i.d.s/ssh: adjust 'Bad protocol version identification' rule
    
    closes: #703936
---
 debian/changelog                    | 2 ++
 rulefiles/linux/ignore.d.server/ssh | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index ad2d305..4b20bcc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,8 @@ logcheck (1.3.18) UNRELEASED; urgency=medium
     - rewrite rules (LP: #1357880, closes: #809605)
   * ignore.d.server/ssh:
     - add generic preauth disconnect rule (closes: #775090)
+    - adjust 'Bad protocol version identification' rule, thanks to Paul
+      for the patch (closes: #703936)
   * ignore.d.server/su:
     - allow '.' and '_' in username (closes: #780441)
 
diff --git a/rulefiles/linux/ignore.d.server/ssh b/rulefiles/linux/ignore.d.server/ssh
index c842b68..43907e2 100644
--- a/rulefiles/linux/ignore.d.server/ssh
+++ b/rulefiles/linux/ignore.d.server/ssh
@@ -1,7 +1,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted (gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased) for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?(: (RSA|ECDSA) ([[:xdigit:]]{2}:){15}[[:xdigit:]]{2})?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Authorized to [^[:space:]]+, krb5 principal [^[:space:]]+ \(krb5_kuserok\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '[^']*' from ([:.[:xdigit:]]+|UNKNOWN)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '[^[:space:]]*' from ([:.[:xdigit:]]+|UNKNOWN) port [[:digit:]]{1,5}$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ([:[:xdigit:].]+|UNKNOWN)+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Bad packet length [[:digit:]]+\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Corrupted MAC on input\.$

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/logcheck/logcheck.git

