Robert T Wyatt wrote:
> I'm trying to leverage the versatility of denyhosts' user defined failed
> entry regex to deny access when snort finds something. A typical snort
> log entry for my machine follows. For some reason the log reporter that
> snort is using in my case sends '\' characters in some places, but for
> whatever reason, they are always in the same places.
>
> [Time 2006.12.30 03:44:59 UTC] [Facility authpriv] [Sender snort] [PID
> -1] [Message [1:2050:9\] MS-SQL version overflow attempt
> [Classification: Misc activity\] [Priority: 3\]: {UDP}
> 61.187.94.122:4613 -> 1.2.3.4:1434] [Level 1] [UID -2] [GID -2] [Host
> our-little-emac]
>
> [there are more snort examples from my log here:
> http://robertwyatt.info/fink/match.txt]
>
>
> So far, I've tried various things, but apparently none of them have
> matched in denyhosts' regex engine (and probably for good reason). Here
> is where I am (lost):
>
> USERDEF_FAILED_ENTRY_REGEX=.* \[Sender snort\] \[PID \d*\] .* attempt
> .*P} (?P<host>.*?):.*?
That wont match the -1 after PID, curly bracket is special char. Perhaps
something like this:
USERDEF_FAILED_ENTRY_REGEX=.* \[Sender snort\] \[PID -?\d+\] .* attempt.*P\}
(?P<host>\S+):.*
Not tested, but HTH.
--
René Berber
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
