diff --git a/CHANGELOG b/CHANGELOG index cffa80c..81b370b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,7 +8,9 @@ with the option --changelog. auth_checker.pl STMP/POP3 Authentication Abuse Detection Utility v2.03 (2014-02-13) Written by Ivo Truxa (c) 2014 (based on the script detect_smtp_auth_abuse.pl by Todd Lyon (c) 2013) - + + 2.04 [Moritz Kobel] 05/07/2014 + - added support for different exim login configuration names 2.03 [Ivo Truxa] 02/13/2014 - IO::Uncompress::AnyUncompress added for better compressed file support (conditional) - added wildcards support - log file names can now include wildcards diff --git a/auth_checker.pl b/auth_checker.pl index cb6b92f..1fe849c 100755 --- a/auth_checker.pl +++ b/auth_checker.pl @@ -65,6 +65,8 @@ " '/var/log/auth' for mode ssh, and \n". " '/var/log/httpd/access.log' for mode apache \n"; my $changelog = +" 2.04 [Moritz Kobel] 05/07/2014 \n". +" - added support for different exim login configuration names \n". " 2.03 [Ivo Truxa] 02/13/2014 \n". " - IO::Uncompress::AnyUncompress added for better compressed file support (conditional) \n". " - added wildcards support - log file names can now include wildcards \n". @@ -140,7 +142,7 @@ 'apache' => '$ip, $user, $date, $time' ); my %log_pattern = ( - 'exim' => '^(\d{4}-\d{2}-\d{2}) (\d{2}:\d{2}:\d{2}).*H=.*\[(\d+\.\d+\.\d+\.\d+)\].*A=(?:(dovecot_)?(plain|login)):([^ ]+)', + 'exim' => '^(\d{4}-\d{2}-\d{2}) (\d{2}:\d{2}:\d{2}).*H=.*\[(\d+\.\d+\.\d+\.\d+)\].*A=(?:(dovecot_|ldap_)?(plain|login|fixed_cram|fixed_login|plain_login)):([^ ]+)', 'dovecot' => '^(\w{3} .\d) (\d{2}:\d{2}:\d{2}) \w+ dovecot: (pop3|imap)-login: Login: user=\<(.*)\>,.+ rip=(\d+\.\d+\.\d+\.\d+), ', 'ssh' => '^(\w{3} .\d) (\d{2}:\d{2}:\d{2}) \w+ sshd\[\d+\]: Accepted (\S+) for (\w+) from (\d+\.\d+\.\d+\.\d+) port \d+ ssh.\s*$', 'openwm' => '^\w{3} (\w{3} .\d) (\d{2}:\d{2}:\d{2}) \d{4} - \[\d+\] \((\d+\.\d+\.\d+\.\d+)\) (\w+) - login - ',