Patch for bug 258866. Taken via svn diff from upstream SVN. Removed Changelog and cyrus filter changes as they didn't apply. --a3li Index: testcases/filtertestcase.py =================================================================== --- testcases/filtertestcase.py (revision 727) +++ testcases/filtertestcase.py (revision 728) @@ -99,7 +99,7 @@ output = ('193.168.0.128', 3, 1124013599.0) self.__filter.addLogPath(GetFailures.FILENAME_01) - self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P\S*)") + self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) ") self.__filter.getFailures(GetFailures.FILENAME_01) @@ -116,7 +116,7 @@ output = ('141.3.81.106', 4, 1124013539.0) self.__filter.addLogPath(GetFailures.FILENAME_02) - self.__filter.addFailRegex("Failed .* (?:::f{4,6}:)(?P\S*)") + self.__filter.addFailRegex("Failed .* from ") self.__filter.getFailures(GetFailures.FILENAME_02) @@ -133,7 +133,7 @@ output = ('203.162.223.135', 6, 1124013544.0) self.__filter.addLogPath(GetFailures.FILENAME_03) - self.__filter.addFailRegex("error,relay=(?:::f{4,6}:)?(?P\S*),.*550 User unknown") + self.__filter.addFailRegex("error,relay=,.*550 User unknown") self.__filter.getFailures(GetFailures.FILENAME_03) @@ -151,7 +151,7 @@ ('212.41.96.185', 4, 1124013598.0)] self.__filter.addLogPath(GetFailures.FILENAME_04) - self.__filter.addFailRegex("Invalid user .* (?P\S*)") + self.__filter.addFailRegex("Invalid user .* ") self.__filter.getFailures(GetFailures.FILENAME_04) Index: config/filter.d/postfix.conf =================================================================== --- config/filter.d/postfix.conf (revision 727) +++ config/filter.d/postfix.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = reject: RCPT from (.*)\[\]: 554 Index: config/filter.d/sshd.conf =================================================================== --- config/filter.d/sshd.conf (revision 727) +++ config/filter.d/sshd.conf (revision 728) @@ -20,7 +20,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$ Index: config/filter.d/courierlogin.conf =================================================================== --- config/filter.d/courierlogin.conf (revision 727) +++ config/filter.d/courierlogin.conf (revision 728) @@ -12,7 +12,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = LOGIN FAILED, .*, ip=\[\]$ Index: config/filter.d/sasl.conf =================================================================== --- config/filter.d/sasl.conf (revision 727) +++ config/filter.d/sasl.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ Index: config/filter.d/exim.conf =================================================================== --- config/filter.d/exim.conf (revision 727) +++ config/filter.d/exim.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = \[\] .*(?:rejected by local_scan|Unrouteable address) Index: config/filter.d/qmail.conf =================================================================== --- config/filter.d/qmail.conf (revision 727) +++ config/filter.d/qmail.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip ) Index: config/filter.d/xinetd-fail.conf =================================================================== --- config/filter.d/xinetd-fail.conf (revision 727) +++ config/filter.d/xinetd-fail.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # # Cfr.: /var/log/(daemon\.|sys)log Index: config/filter.d/vsftpd.conf =================================================================== --- config/filter.d/vsftpd.conf (revision 727) +++ config/filter.d/vsftpd.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ Index: config/filter.d/pure-ftpd.conf =================================================================== --- config/filter.d/pure-ftpd.conf (revision 727) +++ config/filter.d/pure-ftpd.conf (revision 728) @@ -16,7 +16,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = pure-ftpd(?:\[\d+\])?: (.+?@) \[WARNING\] %(__errmsg)s \[.+\]$ Index: config/filter.d/couriersmtp.conf =================================================================== --- config/filter.d/couriersmtp.conf (revision 727) +++ config/filter.d/couriersmtp.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = error,relay=,.*550 User unknown Index: config/filter.d/proftpd.conf =================================================================== --- config/filter.d/proftpd.conf (revision 727) +++ config/filter.d/proftpd.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ Index: config/filter.d/apache-noscript.conf =================================================================== --- config/filter.d/apache-noscript.conf (revision 727) +++ config/filter.d/apache-noscript.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = [[]client []] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) Index: config/filter.d/apache-auth.conf =================================================================== --- config/filter.d/apache-auth.conf (revision 727) +++ config/filter.d/apache-auth.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = [[]client []] user .* authentication failure Index: config/filter.d/webmin-auth.conf =================================================================== --- config/filter.d/webmin-auth.conf (revision 727) +++ config/filter.d/webmin-auth.conf (revision 728) @@ -15,7 +15,7 @@ # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = webmin.* Non-existent login as .+ from $ Index: config/filter.d/common.conf =================================================================== --- config/filter.d/common.conf (revision 727) +++ config/filter.d/common.conf (revision 728) @@ -3,7 +3,7 @@ # # Author: Yaroslav Halchenko # -# $Revision: 1.1 $ +# $Revision: 1.1 $ # [INCLUDES] Index: config/filter.d/sshd-ddos.conf =================================================================== --- config/filter.d/sshd-ddos.conf (revision 727) +++ config/filter.d/sshd-ddos.conf (revision 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) +# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = sshd(?:\[\d+\])?: Did not receive identification string from $ Index: server/failregex.py =================================================================== --- server/failregex.py (revision 727) +++ server/failregex.py (revision 728) @@ -44,7 +44,7 @@ self._matchCache = None # Perform shortcuts expansions. # Replace "" with default regular expression for host. - regex = regex.replace("", "(?:::f{4,6}:)?(?P\S+)") + regex = regex.replace("", "(?:::f{4,6}:)?(?P[\w\-.^_]+)") if regex.lstrip() == '': raise RegexException("Cannot add empty regex") try: Index: server/filter.py =================================================================== --- server/filter.py (revision 727) +++ server/filter.py (revision 728) @@ -492,7 +492,7 @@ class DNSUtils: - IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}") + IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$") #@staticmethod def dnsToIp(dns):