Athena - Attack RegEx Parser for SSHGuard

Attack RegEx Parser

Don't Panic! You're probably in the right place. On March 6, 2026, Jimsun was renamed to Athena.

Attack RegEx Parser (name subject to change) was designed to either supplement or replace the attack signature parser in SSHGuard.

The Attack RegEx Parser consists of a set of function calls that can be intgrated directly into SSHGuard and a stand-alone parser to replace SSHGuard's native parser (SSHGuard v2.4.2 and above).

It has been tested extensively, direcly integrated into running instances of sshguard-1.7.0, on three Internet-facing Linux servers of my own. It has been tested extensively as a stand-alone parser, but not yet tested as a replacement for sshguard-2.4.2's native parser.

Advantages Of Attack RegEx Parser

Easy to add new attack signtures on-the-fly
- Including without stopping the running program
Dangerousness levels can be set on a per-signature basis
Supports POSIX and Perl-Compatible Regular Expression (PCRE) syntax (compile-time options)
Can be integrated into an existing SSHGuard build as a secondary test
- Requires a minimum of only two functions: An init function and the line-parser function
Or run as a replacement parser in SSHGuard v2.4.2 or later

Disadvantages Of Attack RegEx Parser

Slower than SSHGuard's native parser by a factor of two (native PCRE) to five (POSIX regexps) times
Limited number of attack signatures (37) currently developed
Limited platform support (Linux-only, at this time)
Have to build and integrate it yourself

Important: Each package you find at Athena has been signed with a PGP signature. You are urged to validate any package you download by checking it against its signature. You will need Jim's PGP Public Key

Copyright, License, and Disclaimer

All of the programs, applications, utilities, and documentation
(hereinafter referred to as "programs") on this page are
Copyright (C) 2022-2026 James S. Seymour, except as otherwise
noted.

 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
 copyright notice and this permission notice appear in all copies.
 
 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

 An on-line copy of ISC Open Source Software Licenses can be found here:
here.

Versions

Production versions have been tested more thoroughly, at more sites. Beta versions are the result of enhancement requests and bug reports. While also believed to produce correct results (maybe even more accurate or better results--depending on the reason for the change), they're labeled beta until I get enough feedback to let me know all's well. (Or I fail to get any negative feed-back in the form of bug-reports.)>

Source & Docs: Production Version

Production versions have been tested more thoroughly, at more sites.

No Production version yet available

Source & Docs: Beta-Test Version

Beta versions are the result of enhancement requests and bug reports. While also believed to produce correct results (maybe even more accurate or better results--depending on the reason for the change), they're labeled beta until I get enough feedback to let me know all's well. (Or I fail to get any negative feed-back in the form of bug-reports.)
Beta versions are thoroughly regression-tested. Deviations, if any, are noted in the ChangeLog--as are the the reasons for them.

attack_parser_re-0.1.0.tar.gz [http download] [ftp download]
attack_parser_re-0.1.0.tar.gz.asc [http download] [ftp download] (PGP signature)
attack_parser_re-0.1.0.tar.gz.md5 [http download] [ftp download] (MD5 signature)
atre-parser doc [http download] [ftp download]
ChangeLog [http download] [ftp download]
HowTo [http download] [ftp download]
Subscribe to SSHGuard Attack Parser RegEx Updates (Atom Feed)

Source & Docs: Alpha-Test Version

N.B.: Currently un-versioned. But, if it was versioned, it'd probably be v0.1.0 or something.

Alpha versions, as with Beta versions, are the result of enhancement requests and bug reports. Compared to Beta versions: Alpha versions may not have been as thoroughly tested or regression-tested - usually either because I lack the necessary raw test data or because the changes make it all-but-impossible to do so. Alpha versions are promoted to Beta status after I've seen they've been downloaded and a time goes by without problem reports.
This may get updated at irregular intervals--perhaps even several times per day, as mood or inspiration strikes me. The ChangeLog will always reflect any changes.

attack_parser_re.tgz [http download] [ftp download]
Contents:
- attack_parser_re.c - the attack parsing code
- attack_parser_re.h - header file (duh :))
- attack_parser_re.out - stand-alone executable output sample (see Notes)
- atre_parser.c - replacement parser for sshguard-2.4.2 and later
  - Also stand-alone test utility
- examples/attack_parser_re.conf - attack parsing regexps (POSIX)
- examples/attack_parser_re.pcre - attack parsing regexps (PCRE)
- examples/sshguard-1.7.0_integration_diffs.txt - diffs between vanilla and modfied sshguard-1.7.0
  - There's also a spurious "should already have been blocked" log message eliminator in there ;)
- sshg_1.7.0_includes - necessary include files from sshguard-1.7.0
  - There are equivalent includes in sshguard-2.x. They're unnecessary for atre-parser.
- test/attack_parser_re.conf - development attack parsing regexps (POSIX)
- test/attack_parser_re.pcre - development attack parsing regexps (PCRE)
- test/testfile - abbreviated test logfile input
- test/mytests.txt - abbreviated regression test file
- test/tests.txt - regression test file from sshguard-2.4.2
- ChangeLog
- Copyright.txt
- HowTo
- Makefile
- Notes
- ToDo
attack_parser_re.tgz.asc [http download] [ftp download] (PGP signature)
attack_parser_re.tgz.md5 [http download] [ftp download] (MD5 signature)
atre-parser doc [http download] [ftp download]
ChangeLog [http download] [ftp download]
HowTo [http download] [ftp download]

Future Direction

Hard to say.

This code was initially developed with the idea it would simply be a function call following SSHGuard's existing parser so users could easily add their own regexp attack signatures. In the process I developed a test/debug utility named "atre-test" with which to test my code. Then I was made aware, by SSHGuard's developer, of an SSHGuard regression test utility, the functionality of which I integrated into atre-test.

Further email exchanges revealed SSHGuard-2.4.2 allowed for a complete parser replacement at run-time. This resulted in atre-test being cloned to "atre-parser", atre-parser being refined, atre-test being rendered redundant and going away, and...

Here we are.

I do know I'm disinclined to learn the whole GNU Configure thing (autoconf, automake, libtool, etc.). I've never used those tools before. Seems complicated and I'm massively uninterested in spending the time on it.

Yes: It's a little rough, as published projects go. But, if you can make what I've done work for you as-is: You're welcome to use it. Otherwise: Unless it gets integrated into SSHGuard, proper, this is probably about as good as it's going to get.

Related Pages at Athena

My Unix Utilities page has some more stuff you might be able to use.

Comments or Questions?

Created: 10 Apr, 2022 / Last updated: 7 Apr, 2026