Fix recognition of kernel log lines for port-scan detection
Posted: 20 Jan 2016, 05:43
Though regexes for port-scan detection at the start of pslinecheck are OK, a couple lower down do not allow for the square brackets which can follow the "kernel:" prefix. I can't remember now whether I was experiencing too many or too few blocks, but something wasn't working for sure! The patch below fixes it. I hope you're able to include this or a similar change in CSF/LFD.
Code: Select all
--- /usr/local/csf/bin/regex.pm~ 2015-11-08 21:03:40.000000000 +1100
+++ /usr/local/csf/bin/regex.pm 2015-12-31 10:37:37.591556246 +1100
@@ -470,7 +470,7 @@
$ip = $1; $proto = $2; $port = $3; $ip =~ s/^::ffff://;
if ($config{PS_PORTS} !~ /OPEN/) {
my $hit = 0;
- if ($proto eq "TCP" and $line =~ /kernel: Firewall: \*TCP_IN Blocked\*/) {
+ if ($proto eq "TCP" and $line =~ /kernel:\s(\[[^\]]+\]\s)?Firewall: \*TCP_IN Blocked\*/) {
foreach my $ports (split(/\,/,$config{TCP_IN})) {
if ($ports =~ /\:/) {
my ($start,$end) = split(/\:/,$ports);
@@ -484,7 +484,7 @@
return;
}
}
- elsif ($proto eq "UDP" and $line =~ /kernel: Firewall: \*UDP_IN Blocked\*/) {
+ elsif ($proto eq "UDP" and $line =~ /kernel:\s(\[[^\]]+\]\s)?Firewall: \*UDP_IN Blocked\*/) {
foreach my $ports (split(/\,/,$config{UDP_IN})) {
if ($ports =~ /\:/) {
my ($start,$end) = split(/\:/,$ports);