SYSLOG_BANNER token too greedy

Issue #93 resolved
Kevin Zheng
created an issue

In this attack:

2018-06-26 13:22:02.108781500 Failed password for woold from 10.10.10.76 port 34718 ssh2

SYSLOG_BANNER eats up "2018-06-26 13:22:02.108781500 Failed " and prevents the rest of the message from being recognized as an attack.

Similar issue in #89, where SYSLOG_BANNER eats up "2018-06-03 13:16:08 SMTP " instead of just the timestamp.

The SYSLOG_BANNER token in the lexer needs to be split up and some parts of the grammar moved to the parser.

Comments (2)

  1. Log in to comment