Created attachment 151913 [details] patch-src-parser-attack_scanner It seems it only triggers on plaintext logins. Example when in plaintext: Jan 20 11:00:09 hostname imap[XXXX] badlogin: badhost.baddomain.com [6.6.6.0] plaintext username SASL(-13): authentication failure: checkpass failed Example when on TLS: Jan 20 11:01:33 hostname imaps[XXXX] badlogin: badhost.baddomain.com [6.6.6.0] PLAIN [SASL(-13): authentication failure: Password verification failed] Patch submitted upstream, but since they seem slow to adopt patches, I might submit here as well.
Auto-assigned to maintainer feld@FreeBSD.org
Your attached patch is oddly mangled... it would delete that entire section. I believe this is the change you're trying to make. Is this correct? -<cyrusimap_loginerr>"] ".*"SASL".*"checkpass failed" { BEGIN(INITIAL); return CYRUSIMAP_SASL_LOGINERR_SUFF; } +<cyrusimap_loginerr>"] ".*"SASL".*"failed".?$ { BEGIN(INITIAL); return CYRUSIMAP_SASL_LOGINERR_SUFF; } If so, I'll re-roll the patch and put it in the port.
(In reply to Mark Felder from comment #2) Maybe I should not try to patch a patch? You got what I meant anyway, that is what I wanted. Tanks!
Created attachment 152030 [details] cyrus imap pattern fix Can you test this patch for me? Thanks!
(In reply to Mark Felder from comment #4) Yes. Works as intended.
A commit references this bug: Author: feld Date: Fri Jan 23 20:15:35 UTC 2015 New revision: 377762 URL: https://svnweb.freebsd.org/changeset/ports/377762 Log: Patch parser to fix matching for Cyrus IMAP login attempts which are not plaintext. PR: 196943 Submitted by: jakob.alvermark@bsdlabs.com Changes: head/security/sshguard/Makefile head/security/sshguard/files/patch-src-parser-attack_scanner.l