On Mon, Oct 03, 2005 at 10:20:23PM -0700, Joshua Rodman wrote: > What was done before was the line was scanned for anything which > resembles an IP address. What I am suggesting is a regex which > specifies where in the line the IP address should be. how would you specify "where"? if you are thinking about something like from <IP regex> or fixed position, that will not work, because intruder can provide a login name with "from <IP regex>" and log line is
Oct 4 09:41:14 sonyboy sshd[18226]: Invalid user from 10.0.0.1 from 127.0.0.1
Oct 4 09:41:14 sonyboy sshd[18226]: Failed none for invalid user from 10.0.0.1
from 127.0.0.1 port 52417 ssh2
So, as I said, I don't see a generic way around that besides using fully
specified regex'es. May be upstream will have something nice in mind
To say the truth python regexes are not that diificult. May be I should
provide a "crash-course" on them in 5-10 lines in the config file
describing used by me constructs. Something like
Symbols:
[...] -- set of symbols
\S -- non-space symbol
. -- any symbol
Enumerators:
? -- 0 or 1 occurance of patter
* -- 0 or more occurances of previous regex
{n,m} -- from n to m occurances of the pattern
Grouping:
| -- logical OR -- matching any of the mentioned patterns within a
group
(?:...) -- group which doesn't enter the set of numbered/named groups
(?P<name1>...) -- named as "name1" group. Curently all named groups are
considered as placeholders of IP addresses
Would it make easier to grasp failregex'es now?
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
pgpKBtAPnrIr9.pgp
Description: PGP signature
