Skip to content

Commit

Permalink
fixing newer ubuntu logs
Browse files Browse the repository at this point in the history
  • Loading branch information
@jullrich
jullrich committed Aug 5, 2024
1 parent cc22a79 commit e5a3f00
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
1 change: 1 addition & 0 deletions srv/dshield/DShield.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ class DshieldSubmit:
types = ['email', 'firewall', 'sshlogin', 'telnetlogin', '404report', 'httprequest', 'webhoneypot']
logtypesregex={'generic': '^([A-Z][a-z]{2})\s+([0-9]+)\s([0-9:]+).*(IN=.*)',
'pi': '(^\d+) \S+ kernel:\[[0-9\. ]+\]\s+DSHIELDINPUT IN=\S+ .* (SRC=.*)',
'iptables': '(^\d+) \S+ kernel:\s+DSHIELDINPUT IN=\S+ .* (SRC=.*)',
'aws': '(^\d+) \S+ kernel: DSHIELDINPUT IN=\S+ .* (SRC=.*)'}
authheader = ''

Expand Down
8 changes: 7 additions & 1 deletion srv/dshield/fwlogparser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,18 @@ def parse(logline,logformat,linere):
logline=logline.strip("\000")
m = linere.match(logline)
if m:
# pi covers older (pre 24.04) iptables logs
if logformat == 'pi':
logdata['time'] = int(m.group(1))
fwdata=m.group(2)
# AWS is essentially IPtables but only one space after kernel:
elif logformat == 'aws':
logdata['time'] = int(m.group(1))
fwdata=m.group(2)
fwdata=m.group(2)
# iptables is for newer (Ubuntu 24.04) systems
elif logformat == 'iptables':
logdata['time'] = int(m.group(1))
fwdata=m.group(2)
elif logformat == 'generic':
month = strptime(m.group(1), '%b').tm_mon
if month == 12 and now.month == 1:
Expand Down

0 comments on commit e5a3f00

Please sign in to comment.