- changed status to open
wrong parsing of Java Stacktraces in Docker Container
Issue #142
open
Testfile
May 7 10:38:54 testserver testserver-services-test[40000]: org.simplejavamail.mailer.internal.MailerException: Third party error
*
M
Command for single test
src/parser/sshg-parser -dt < src/parser/test.txt
Output
--accepting rule at line 133 ("May 7 10:38:54 testserver testserver-services-test[40000]: ")
--accepting rule at line 324 ("org.simplejavamail.mailer.internal.MailerException")
yydebug: state 0, reading 262 (SYSLOG_BANNER_PID)
yydebug: state 0, shifting to state 4
yydebug: state 4, reducing by rule 9 (syslogent : SYSLOG_BANNER_PID)
yydebug: after reduction, shifting from state 0 to state 49
yydebug: state 49, reducing by rule 3 (log_prefix : syslogent)
yydebug: after reduction, shifting from state 0 to state 47
yydebug: state 47, reading 259 (HOSTADDR)
yydebug: state 47, shifting to state 3
yydebug: state 3, reducing by rule 44 (addr : HOSTADDR)
ok 1
# May 7 10:38:54 testserver testserver-services-test[40000]: org.simplejavamail.mailer.internal.MailerException: Third party error
1..1
Could not resolve 'org.simplejavamail.mailer.internal.MailerException' to address
Java Stacktraces will spam “could not resolve” in sshguard logs.
May 7 11:31:19 testserver sshguard[44667]: Could not resolve 'org.springframework.dao.InvalidDataAccessResourceUsageException' to address
May 7 11:31:19 testserver sshguard[44667]: Could not resolve 'org.hibernate.exception.SQLGrammarException' to address
May 7 11:31:36 testserver sshguard[44667]: Could not resolve 'org.h2.jdbc.JdbcSQLSyntaxErrorException' to address
May 7 11:36:20 testserver sshguard[44667]: Could not resolve 'org.springframework.dao.InvalidDataAccessResourceUsageException' to address
May 7 11:36:20 testserver sshguard[44667]: Could not resolve 'org.hibernate.exception.SQLGrammarException' to address
May 7 11:36:20 testserver sshguard[44667]: Could not resolve 'org.h2.jdbc.JdbcSQLSyntaxErrorException' to address
Comments (1)
-
- Log in to comment
Here, SSHGuard's parser is trying to resolve org.simplejavamail.mailer.internal.MailerException via DNS to determine whether or not to accept it as a valid HOSTADDR. Since the resolution fails, SSHGuard correctly rejects this token as a candidate for HOSTADDR.
What might be surprising to some people is that SSHGuard is resolving hostnames at all in the parser. This would be broken anyway if
sshg-parseris run from inside a sandbox. I'm thinking about removing hostname resolution from the parser altogether.