diff options
| author | Steven Hiscocks <steven@hiscocks.me.uk> | 2013-07-20 15:38:29 +0100 |
|---|---|---|
| committer | Steven Hiscocks <steven@hiscocks.me.uk> | 2013-07-20 15:38:29 +0100 |
| commit | bd175f026737d66e7110868fb50b3760ff75e087 (patch) | |
| tree | 74701371b1039fe2f8f8cae7753a8e7d342d98fa | |
| parent | 83a80a29ea51d1cb2dc1ce45a33b1d44a8619c9c (diff) | |
| download | fail2ban-CVE-2013-7177.tar.gz | |
ENH: Improve cyrus-imap regex and add sample log fileCVE-2013-7177
| -rw-r--r-- | config/filter.d/cyrus-imap.conf | 16 | ||||
| -rw-r--r-- | testcases/files/logs/cyrus-imap | 10 |
2 files changed, 22 insertions, 4 deletions
diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf index 758f75de..ae7bf6bd 100644 --- a/config/filter.d/cyrus-imap.conf +++ b/config/filter.d/cyrus-imap.conf @@ -4,8 +4,17 @@ # # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + [Definition] +_daemon = (?:cyrus/)?(?:imapd?|pop3d?) + # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can @@ -13,10 +22,9 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$ - : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$ - : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$ - : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$ +failregex = ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] (?:plaintext|LOGIN) .* \[?SASL\(-13\): authentication failure: checkpass failed\]?$ + ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$ + ^%(__prefix_line)sbadlogin: \S+ \[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/testcases/files/logs/cyrus-imap b/testcases/files/logs/cyrus-imap new file mode 100644 index 00000000..5886938e --- /dev/null +++ b/testcases/files/logs/cyrus-imap @@ -0,0 +1,10 @@ +# failJSON: { "time": "2005-01-04T21:51:05", "match": true , "host": "127.0.0.1" } +Jan 4 21:51:05 hostname cyrus/imap[5355]: badlogin: localhost.localdomain [127.0.0.1] plaintext cyrus@localdomain SASL(-13): authentication failure: checkpass failed +# failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "198.51.100.23" } +Feb 20 17:23:32 domain cyrus/pop3[18635]: badlogin: localhost [198.51.100.23] plaintext administrator SASL(-13): authentication failure: checkpass failed +# failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "1.2.3.4" } +Feb 20 17:23:32 cyrus/pop3[4297]: badlogin: example.com [1.2.3.4] plaintext mail0001 SASL(-13): authentication failure: checkpass failed +# failJSON: { "time": "2005-06-08T18:11:13", "match": true , "host": "198.51.100.45" } +Jun 8 18:11:13 lampserver imap[4480]: badlogin: example.com [198.51.100.45] DIGEST-MD5 [SASL(-13): authentication failure: client response doesn't match what we generated] +# failJSON: { "time": "2004-12-21T10:01:57", "match": true , "host": "198.51.100.57" } +Dec 21 10:01:57 hostname imapd[18454]: badlogin: example.com [198.51.100.57] CRAM-MD5 [SASL(-13): authentication failure: incorrect digest response] |