wrong parsing of Java Stacktraces in Docker Container

Create issue
Issue #142 open
Robert Willert created an issue

Testfile

May  7 10:38:54 testserver testserver-services-test[40000]: org.simplejavamail.mailer.internal.MailerException: Third party error
*
M

Command for single test

src/parser/sshg-parser -dt < src/parser/test.txt

Output

--accepting rule at line 133 ("May  7 10:38:54 testserver testserver-services-test[40000]: ")
--accepting rule at line 324 ("org.simplejavamail.mailer.internal.MailerException")
yydebug: state 0, reading 262 (SYSLOG_BANNER_PID)
yydebug: state 0, shifting to state 4
yydebug: state 4, reducing by rule 9 (syslogent : SYSLOG_BANNER_PID)
yydebug: after reduction, shifting from state 0 to state 49
yydebug: state 49, reducing by rule 3 (log_prefix : syslogent)
yydebug: after reduction, shifting from state 0 to state 47
yydebug: state 47, reading 259 (HOSTADDR)
yydebug: state 47, shifting to state 3
yydebug: state 3, reducing by rule 44 (addr : HOSTADDR)
ok 1
# May  7 10:38:54 testserver testserver-services-test[40000]: org.simplejavamail.mailer.internal.MailerException: Third party error
1..1
Could not resolve 'org.simplejavamail.mailer.internal.MailerException' to address

Java Stacktraces will spam “could not resolve” in sshguard logs.

May  7 11:31:19 testserver sshguard[44667]: Could not resolve 'org.springframework.dao.InvalidDataAccessResourceUsageException' to address
May  7 11:31:19 testserver sshguard[44667]: Could not resolve 'org.hibernate.exception.SQLGrammarException' to address
May  7 11:31:36 testserver sshguard[44667]: Could not resolve 'org.h2.jdbc.JdbcSQLSyntaxErrorException' to address
May  7 11:36:20 testserver sshguard[44667]: Could not resolve 'org.springframework.dao.InvalidDataAccessResourceUsageException' to address
May  7 11:36:20 testserver sshguard[44667]: Could not resolve 'org.hibernate.exception.SQLGrammarException' to address
May  7 11:36:20 testserver sshguard[44667]: Could not resolve 'org.h2.jdbc.JdbcSQLSyntaxErrorException' to address

Comments (1)

  1. Kevin Zheng
    • changed status to open

    Here, SSHGuard's parser is trying to resolve org.simplejavamail.mailer.internal.MailerException via DNS to determine whether or not to accept it as a valid HOSTADDR. Since the resolution fails, SSHGuard correctly rejects this token as a candidate for HOSTADDR.

    What might be surprising to some people is that SSHGuard is resolving hostnames at all in the parser. This would be broken anyway if sshg-parser is run from inside a sandbox. I'm thinking about removing hostname resolution from the parser altogether.

  2. Log in to comment