René Berber wrote:
>> [Time 2006.12.30 03:44:59 UTC] [Facility authpriv] [Sender snort] [PID
>> -1] [Message [1:2050:9\] MS-SQL version overflow attempt
>> [Classification: Misc activity\] [Priority: 3\]: {UDP}
>> 61.187.94.122:4613 -> 1.2.3.4:1434] [Level 1] [UID -2] [GID -2] [Host
>> our-little-emac]
>>
>> [there are more snort examples from my log here:
>> http://robertwyatt.info/fink/match.txt]
>>
>> USERDEF_FAILED_ENTRY_REGEX=.* \[Sender snort\] \[PID \d*\] .* attempt
>> .*P} (?P<host>.*?):.*?
>
> That wont match the -1 after PID, curly bracket is special char. Perhaps
> something like this:
>
> USERDEF_FAILED_ENTRY_REGEX=.* \[Sender snort\] \[PID -?\d+\] .* attempt.*P\}
> (?P<host>\S+):.*
Thanks René, probably better, but still doesn't seem to match. By that I
mean that I restart denyhosts and it doesn't seem to pick up those ip
addresses at startup when it processes my log file (I've seen it do this
in the past for my PAM messages). I suppose that one possibility is that
those addresses may have been picked up by syncing in the meantime.... I
can investigate this possibility.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user
