
Copyright (c) 2022 Jim Seymour (jseymour+sshguard@LinxNet.com)

Notes as I went along for atre/attack_parser_re project

Building

    Moved to HowTo


Adding to sshguard-1.7.0 (except atre-parser):

	See also: examples/sshguard-1.7.0_integration_diffs.txt

	N.B.: The following may not be complete!  (Or correct.  Or useful at all.)

	Copy attack_parser_re.[ch] into

	    .../src/parser/

	Add attack_parser_re.h to

	    .../src/sshguard.c
	    .../src/parser/sshg_parser.c

	Add attack_parser_re_init() to 

	    .../src/sshguard.c: main()
	    .../src/parser/sshg_parser.c: main()

	Add parse_line_re() after parse_line() in
	
	    .../src/sshguard.c: main()
	    .../src/parser/sshg_parser.c: main()

	.../src/Makefile

	    am_sshg_parser_OBJECTS += parser/attack_parser_re.$(OBJEXT)
	    am_sshguard_OBJECTS += parser/attack_parser_re.$(OBJEXT)

	    sshg_parser_SOURCES =+ parser/attack_parser_re.c parser/attack_parser_re.h
	    sshguard_SOURCES =+ parser/attack_parser_re.h

	    After

		fwalls/fw.$(OBJEXT): fwalls/$(am__dirstamp) \
			fwalls/$(DEPDIR)/$(am__dirstamp)
		parser/attack_parser_re.$(OBJEXT): parser/attack_parser_re.h

	    After

		sshg_parser_LDADD = $(LDADD)
		EXTRA_sshg_parser_DEPENDENCIES = parser/attack_parser_re.h

	    After

		sshguard_LDADD = $(LDADD)
		EXTRA_sshguard_DEPENDENCIES = parser/attack_parser_re.h

	    For PCRE, using pcreposix lib

		AM_CFLAGS += -DUSE_PCRE
		LIBS += -lpcreposix

	    For "native" PCRE, using pcre lib

		AM_CFLAGS += -DUSE_NATIVE_PCRE
		LIBS += -lposix

	    (Probably a more correct way to do those, but I'll be damned if I can figure it out)


    Enhancements?

	Change sshguard.c:sigfin_handler() to re-read attack parser
	config file on SIGHUP instead of exiting?

	    Note: Added sigaction() catcher for this.

	    Note: sigaction() might not be portable?

	Add additional arg(s) to regexp configs?

	Verbose logging

	    .../src/sshguard.c:report_address():

		extern char *atre_service_to_name(enum service_code);

		char whenfirst[20];
		char whenlast[20];
		char pardontime[20];

		strftime(whenfirst, sizeof(whenfirst), "%b %d %T", localtime(&tmpent->whenfirst));
		strftime(whenlast, sizeof(whenlast), "%b %d %T", localtime(&tmpent->whenlast));
		strftime(pardontime, sizeof(pardontime), "%b %d %T", localtime(&tmpent->pardontime));

		sshguard_log(LOG_INFO, "Detected: %s, svc: %s, dangerousness: %d, first: %s, last: %s, pardon time: %s, numhits: %u, cum_danger: %u",
		    tmpent->attack->address->value,
		    service_to_name(tmpent->attack->service),
		    tmpent->attack->dangerousness,
		    whenfirst,
		    whenlast,
		    pardontime,
		    tmpent->numhits,
		    tmpent->cumulated_danger);
		

From sshguard-2.4.2:

    From print_attack() in src/parser/parser.c:

	static void print_attack(const attack_t *attack) {
	     printf("%d %s %d %d\n", attack->service, attack->address.value,
                    attack->address.kind, attack->dangerousness);


Adding Native PCRE Library Support

    Done!  Produced a 9-17% performance improvement over using pcreposix lib

    (Tested, but not deployed)


REGEXLIB_IPV4_MAPPED6 Notes

    IPv4->IPv6 mapping:

	0:0:0:0:0:FFFF:<IPv4-encoded-lower-IPv6 32 bits>

    Simple regexp match (POSIX):

        [0:]+[Ff]{4}:([[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3})

    Simple regexp match (PCRE):

        [0:]+[Ff]{4}:((?:\d{1,3}\.){3}\d{1,3})

