I'm trying to leverage the versatility of denyhosts' user defined failed
entry regex to deny access when snort finds something. A typical snort
log entry for my machine follows. For some reason the log reporter that
snort is using in my case sends '\' characters in some places, but for
whatever reason, they are always in the same places.
[Time 2006.12.30 03:44:59 UTC] [Facility authpriv] [Sender snort] [PID
-1] [Message [1:2050:9\] MS-SQL version overflow attempt
[Classification: Misc activity\] [Priority: 3\]: {UDP}
61.187.94.122:4613 -> 1.2.3.4:1434] [Level 1] [UID -2] [GID -2] [Host
our-little-emac]
[there are more snort examples from my log here:
http://robertwyatt.info/fink/match.txt]
So far, I've tried various things, but apparently none of them have
matched in denyhosts' regex engine (and probably for good reason). Here
is where I am (lost):
USERDEF_FAILED_ENTRY_REGEX=.* \[Sender snort\] \[PID \d*\] .* attempt
.*P} (?P<host>.*?):.*?
Any help is very appreciated,
Robert
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
