Enable matching of syslog entries with <facility.level>

PR:		197854

3 files changed, 25 insertions, 21 deletions

diff --git a/security/sshguard/Makefile b/security/sshguard/Makefile
index 146537f0f3d8..178dd885042f 100644
--- a/security/sshguard/Makefile
+++ b/security/sshguard/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	sshguard
 PORTVERSION=	1.5
-PORTREVISION=	10
+PORTREVISION=	11
 CATEGORIES=	security
 MASTER_SITES=	SF/sshguard/sshguard/sshguard-${PORTVERSION}
 
diff --git a/security/sshguard/files/patch-src-parser-attack_scanner.l b/security/sshguard/files/patch-src-parser-attack_scanner.l
index c8ccbfc014b8..3c90ec17ef8f 100644
--- a/security/sshguard/files/patch-src-parser-attack_scanner.l
+++ b/security/sshguard/files/patch-src-parser-attack_scanner.l
@@ -1,20 +1,26 @@
---- src/parser/attack_scanner.l.orig	2011-02-09 12:01:47 UTC
+--- src/parser/attack_scanner.l.orig	2015-03-24 02:08:55 UTC
 +++ src/parser/attack_scanner.l
-@@ -127,7 +127,7 @@ IPV4MAPPED6 ((:(:0{1,4}){0,4}|0{1,4}:(:0
+@@ -78,6 +78,7 @@ MINPS       [0-5][0-9]
+ WORD        [a-zA-Z0-9][-_a-zA-Z0-9]+
+ NUMBER      [1-9][0-9]*
+ HOSTADDR    localhost|([-a-zA-Z0-9]+\.)+[a-zA-Z]+
++FACLEVEL    (<[a-zA-Z0-9]+\.[a-zA-Z0-9]+>)
  
+ TIMESTAMP_SYSLOG    {MONTH}\ +{DAYNO}\ +{HOUR}:{MINPS}:{MINPS}
+ TIMESTAMP_TAI64     [0-9A-Fa-f]{24}
+@@ -107,13 +108,13 @@ IPV4MAPPED6 ((:(:0{1,4}){0,4}|0{1,4}:(:0
+   */
  
-  /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
--"Invalid user ".+" from "                         { return SSH_INVALUSERPREF; }
-+[Ii]"nvalid user ".+" from "                         { return SSH_INVALUSERPREF; }
-  /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
-  /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
- "User ".+" from "                                               { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }
-@@ -175,7 +175,7 @@ IPV4MAPPED6 ((:(:0{1,4}){0,4}|0{1,4}:(:0
+  /* handle entries with PID and without PID from processes other than sshguard */
+-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
++{TIMESTAMP_SYSLOG}[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+{PROCESSNAME}"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
+         /* extract PID */
+         yylval.num = getsyslogpid(yytext, yyleng);
+         return SYSLOG_BANNER_PID;
+         }
  
-  /* cyrus-imap login error */
- "badlogin: "[^\[]*"["                                           { BEGIN(cyrusimap_loginerr); return CYRUSIMAP_SASL_LOGINERR_PREF; }
--<cyrusimap_loginerr>"] ".*"SASL".*"checkpass failed"            { BEGIN(INITIAL); return CYRUSIMAP_SASL_LOGINERR_SUFF; }
-+<cyrusimap_loginerr>"] ".*"SASL".*"failed".?$                   { BEGIN(INITIAL); return CYRUSIMAP_SASL_LOGINERR_SUFF; }
+-{TIMESTAMP_SYSLOG}[ ]+([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+({PROCESSNAME}":")?   { return SYSLOG_BANNER; }
++{TIMESTAMP_SYSLOG}[ ]+{FACLEVEL}?[ ]*([a-zA-Z0-9]|{WORD}|{HOSTADDR})[ ]+({PROCESSNAME}":")?   { return SYSLOG_BANNER; }
  
-  /* FreeBSD's ftpd login errors */
- "FTP LOGIN FAILED FROM "                                        { BEGIN(freebsdftpd_loginerr); return FREEBSDFTPD_LOGINERR_PREF; }
+  /* syslog style  "last message repeated N times" */
+ "last message repeated "([1-9][0-9]*)" times"                   {
diff --git a/security/sshguard/files/patch-src-sshguard.c b/security/sshguard/files/patch-src-sshguard.c
index 27249cfe0933..641986c90dae 100644
--- a/security/sshguard/files/patch-src-sshguard.c
+++ b/security/sshguard/files/patch-src-sshguard.c
@@ -1,6 +1,6 @@
---- src/sshguard.c.orig	2010-08-09 08:44:15.000000000 +0200
-+++ src/sshguard.c	2011-03-28 11:42:42.000000000 +0200
-@@ -566,9 +566,13 @@
+--- src/sshguard.c.orig	2011-02-09 12:01:47 UTC
++++ src/sshguard.c
+@@ -567,9 +567,13 @@ static void process_blacklisted_addresse
          /* terminate array list */
          addresses[i] = NULL;
          /* do block addresses of this kind */
@@ -17,5 +17,3 @@
      }
      /* free temporary arrays */
      free(addresses);
-
-