[Logcheck-devel] Bug#703936: logcheck-database: SSH Bad Protocol Version Idenitifcation Rule is incomplete
Paul Brossier
piem at piem.org
Fri Aug 7 08:44:44 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
tags 703936 + patch
thanks
Hi,
replacing [^'] with [^[:space:] does the trick here.
cheers, piem
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJVxG/7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCODhBNTA3MkQ0OTE1QUVDRjgxQTI0MzQ2
QTQ5QjE5NzI4QUJERDkyAAoJEGpJsZcoq92SeVEP/ReFS6gHhpgDJVzJNVJ3Pbvq
iRHiZKWI22R0WaCgt1tzmQuYS4Ogf4JrpRkMUF5yBxl/ePmOz0MpaVjnlB2aMAFI
gyEZQNXLxMl5ImggjHM1K2czZcFF9Cw8TSfMuuKc1BzPQ8+dWduW1tBj1VQFn3vp
Wu46QW+X9JrUb8CrMR7p4fadf530MLWO3Y/VIKXrdE/XRDaX2lwsj1GVWjyF5yhA
82U+tGr8GIJj4CyBEv/vin0H4n0xU2PE4AcxP2PhDXlbEZP2dsZqlkJfwQDrjwTp
7pKfzyI3wIhywBIiZmMkc0s5LxvJshj/hIUHcf6Mo7OoTmO+HKz3ObBG0QO5oQ6h
CuFcZy3PLfGUScS8DJByZHi7mY6V0po9NPvISor6t3Fbp2x5iakc+DqgdEX+RCaf
xb+zM9nGIXZ6t0qoooPTE7o6P6Oa4Vo7HDYQMJC6dPvNT5jbGjI8mW5gL6n/SEKi
LeUEMBN3om5sJO8pIfhEdg9Dftzbr7FLT09WeYWUCAyDZVj/94sLyJLCymc+SMoy
ay8S8UDTXpzU53PsOPxReSNUuZVPlECd0Hpa/f0vPfjpPBRSWetWuE+WT/YtZWqs
tE3KKWFSWgGNoUEASGbX1I6XZhJx8mEFJAvoizIgHkzCQq56RPAxaF9nRDwHlvy8
3avrwnnsDK2dJUzU4/iY
=uUHi
-----END PGP SIGNATURE-----
-------------- next part --------------
--- logcheck/ignore.d.server/ssh.orig 2015-05-11 10:57:32.745101129 -0300
+++ logcheck/ignore.d.server/ssh 2015-05-11 10:58:00.849240490 -0300
@@ -1,7 +1,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted (gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased) for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?(: (RSA|ECDSA) ([[:xdigit:]]{2}:){15}[[:xdigit:]]{2})?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Authorized to [^[:space:]]+, krb5 principal [^[:space:]]+ \(krb5_kuserok\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '[^']*' from ([:.[:xdigit:]]+|UNKNOWN)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification ‘[^[:space:]]*’ from ([:.[:xdigit:]]+|UNKNOWN) port [[:digit:]]{1,5}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ([:[:xdigit:].]+|UNKNOWN)+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Bad packet length [[:digit:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Corrupted MAC on input\.$
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logchecker-ssh-bad-proto-port-2.patch.sig
Type: application/octet-stream
Size: 639 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20150807/3b8604df/attachment.obj>
More information about the Logcheck-devel
mailing list