|Attack RegEx Parser|
Attack RegEx Parser (name subject to change) was designed to either supplement or replace the attack signature parser in SSHGuard.The Attack RegEx Parser consists of a set of function calls that can be intgrated directly into SSHGuard and a stand-alone parser to replace SSHGuard's native parser (SSHGuard v2.4.2 and above). It has been tested extensively, direcly integrated into running instances of sshguard-1.7.0, on three Internet-facing Linux servers of my own. It has been tested extensively as a stand-alone parser, but not yet tested as a replacement for sshguard-2.4.2's native parser.
All of the programs, applications, utilities, and documentation (hereinafter referred to as "programs") on this page are Copyright (C) 2022 James S. Seymour, except as otherwise noted. These programs are free software; you can redistribute them and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. These programs are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You may receive a copy of the GNU General Public License along with these programs; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. An on-line copy of the GNU General Public License can be found here.
Source & Docs: Production VersionProduction versions have been tested more thoroughly, at more sites.
- No Production version yet available
Source & Docs: Beta-Test VersionBeta versions are the result of enhancement requests and bug reports. While also believed to produce correct results (maybe even more accurate or better results--depending on the reason for the change), they're labeled beta until I get enough feedback to let me know all's well. (Or I fail to get any negative feed-back in the form of bug-reports.)
Beta versions are thoroughly regression-tested. Deviations, if any, are noted in the ChangeLog--as are the the reasons for them.
- No Beta-Test version yet available
Source & Docs: Alpha-Test VersionN.B.: Currently un-versioned. But, if it was versioned, it'd probably be v0.1.0 or something.Alpha versions, as with Beta versions, are the result of enhancement requests and bug reports. Compared to Beta versions: Alpha versions may not have been as thoroughly tested or regression-tested - usually either because I lack the necessary raw test data or because the changes make it all-but-impossible to do so. Alpha versions are promoted to Beta status after I've seen they've been downloaded and a time goes by without problem reports. This may get updated at irregular intervals--perhaps even several times per day, as mood or inspiration strikes me. The ChangeLog will always reflect any changes.
- attack_parser_re.tgz [http download] [ftp download]Contents:
- attack_parser_re.c - the attack parsing code
- attack_parser_re.h - header file (duh :))
- attack_parser_re.out - stand-alone executable output sample (see Notes)
- atre_parser.c - replacement parser for sshguard-2.4.2 and later
- Also stand-alone test utility
- examples/attack_parser_re.conf - attack parsing regexps (POSIX)
- examples/attack_parser_re.pcre - attack parsing regexps (PCRE)
- examples/sshguard-1.7.0_integration_diffs.txt - diffs between vanilla and modfied sshguard-1.7.0
- There's also a spurious "should already have been blocked" log message eliminator in there ;)
- sshg_1.7.0_includes - necessary include files from sshguard-1.7.0
- There are equivalent includes in sshguard-2.x. They're unnecessary for atre-parser.
- test/attack_parser_re.conf - development attack parsing regexps (POSIX)
- test/attack_parser_re.pcre - development attack parsing regexps (PCRE)
- test/testfile - abbreviated test logfile input
- test/mytests.txt - abbreviated regression test file
- test/tests.txt - regression test file from sshguard-2.4.2
- attack_parser_re.tgz.asc [http download] [ftp download] (PGP signature)
- attack_parser_re.tgz.md5 [http download] [ftp download] (MD5 signature)
- atre-parser doc [http download] [ftp download]
- ChangeLog [http download] [ftp download]
- HowTo [http download] [ftp download]
Future DirectionHard to say. This code was initially developed with the idea it would simply be a function call following SSHGuard's existing parser so users could easily add their own regexp attack signatures. In the process I developed a test/debug utility named "atre-test" with which to test my code. Then I was made aware, by SSHGuard's developer, of an SSHGuard regression test utility, the functionality of which I integrated into atre-test. Further email exchanges revealed SSHGuard-2.4.2 allowed for a complete parser replacement at run-time. This resulted in atre-test being cloned to "atre-parser", atre-parser being refined, atre-test being rendered redundant and going away, and... Here we are. I do know I'm disinclined to learn the whole GNU Configure thing (autoconf, automake, libtool, etc.). I've never used those tools before. Seems complicated and I'm massively uninterested in spending the time on it. Yes: It's a little rough, as published projects go. But, if you can make what I've done work for you as-is: You're welcome to use it. Otherwise: Unless it gets integrated into SSHGuard, proper, this is probably about as good as it's going to get.
Related Pages at JIMSUN
My Unix Utilities page has some more stuff you might be able to use.
Comments or Questions? Created: 10 Apr, 2022 / Last updated: 12 Apr, 2022