Fix recognition of kernel log lines for port-scan detection

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
isfs
Junior Member
Posts: 4
Joined: 20 Jan 2016, 03:26

Fix recognition of kernel log lines for port-scan detection

Post by isfs »

Though regexes for port-scan detection at the start of pslinecheck are OK, a couple lower down do not allow for the square brackets which can follow the "kernel:" prefix. I can't remember now whether I was experiencing too many or too few blocks, but something wasn't working for sure! The patch below fixes it. I hope you're able to include this or a similar change in CSF/LFD.

Code: Select all

--- /usr/local/csf/bin/regex.pm~	2015-11-08 21:03:40.000000000 +1100
+++ /usr/local/csf/bin/regex.pm	2015-12-31 10:37:37.591556246 +1100
@@ -470,7 +470,7 @@
         $ip = $1; $proto = $2; $port = $3; $ip =~ s/^::ffff://;
 		if ($config{PS_PORTS} !~ /OPEN/) {
 			my $hit = 0;
-			if ($proto eq "TCP" and $line =~ /kernel: Firewall: \*TCP_IN Blocked\*/) {
+			if ($proto eq "TCP" and $line =~ /kernel:\s(\[[^\]]+\]\s)?Firewall: \*TCP_IN Blocked\*/) {
 				foreach my $ports (split(/\,/,$config{TCP_IN})) {
 					if ($ports =~ /\:/) {
 						my ($start,$end) = split(/\:/,$ports);
@@ -484,7 +484,7 @@
 					return;
 				}
 			}
-			elsif ($proto eq "UDP" and $line =~ /kernel: Firewall: \*UDP_IN Blocked\*/) {
+			elsif ($proto eq "UDP" and $line =~ /kernel:\s(\[[^\]]+\]\s)?Firewall: \*UDP_IN Blocked\*/) {
 				foreach my $ports (split(/\,/,$config{UDP_IN})) {
 					if ($ports =~ /\:/) {
 						my ($start,$end) = split(/\:/,$ports);
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Fix recognition of kernel log lines for port-scan detection

Post by ForumAdmin »

This has now been included in v8.13 which has just been released:
http://blog.configserver.com/?p=2627
isfs
Junior Member
Posts: 4
Joined: 20 Jan 2016, 03:26

Re: Fix recognition of kernel log lines for port-scan detection

Post by isfs »

Thanks a lot!

Apart from your wonderful work and generosity in releasing CSF/LFD for free, you are to be commended for a hassle-free bug-reporting experience. It means a lot.
Post Reply