- changed status to open
SYSLOG_BANNER token too greedy
Issue #93
resolved
In this attack:
2018-06-26 13:22:02.108781500 Failed password for woold from 10.10.10.76 port 34718 ssh2
SYSLOG_BANNER eats up "2018-06-26 13:22:02.108781500 Failed " and prevents the rest of the message from being recognized as an attack.
Similar issue in #89, where SYSLOG_BANNER eats up "2018-06-03 13:16:08 SMTP " instead of just the timestamp.
The SYSLOG_BANNER token in the lexer needs to be split up and some parts of the grammar moved to the parser.
Comments (3)
-
reporter -
reporter - changed status to resolved
Fixed in ff3b762.
-
reporter - removed version
Removing version: 2.1 (automated comment)
- Log in to comment