LaBrea: add ignored log lines

a93fe0f2 · Pavel Kácha · 422b02b1 · a93fe0f2
Commit a93fe0f2 authored 1 year ago by Pavel Kácha
--- a/hp-labrea/labrea-idea.py
+++ b/hp-labrea/labrea-idea.py
@@ -466,13 +466,22 @@ RE_LIST = (
    # 1493035442 Initial Connect - tarpitting: 89.163.242.15 56736 -> 195.113.254.182 9898
    # 1493037991 Inbound SYN/ACK: 185.62.190.15 21001 -> 195.113.252.222 15584
    (
-        re.compile(r'([0-9]+) ([^:]*:) ([^ ]+) ([0-9]+) -> ([^ ]+) ([0-9]+).*'),
+        re.compile(r'([0-9]+) (Initial Connect - tarpitting:|Inbound SYN/ACK:) ([^ ]+) ([0-9]+) -> ([^ ]+) ([0-9]+).*'),
        namedtuple("connect_tuple", ("timestamp", "message", "src_ip", "src_port", "tgt_ip", "tgt_port"))
    ),
    # 1493035442 Responded to a Ping: 88.86.96.25 -> 195.113.253.87 *
    (
-        re.compile(r'([0-9]+) ([^:]*:) ([^ ]+) -> ([^ ]+).*'),
+        re.compile(r'([0-9]+) (Responded to a Ping:) ([^ ]+) -> ([^ ]+).*'),
        namedtuple("ping_tuple", ("timestamp", "message", "src_ip", "tgt_ip"))
+    ),
+    # 1645797338 Capturing local IP 195.113.252.187
+    # 1645797339 Persist Activity: 45.227.253.45 64088 -> 195.113.254.67 3136 *
+    # 1645797340 Additional Activity 195.113.253.198
+    # 1645857629 Linux Persist Activity: 61.177.172.89 12241 -> 195.113.253.252 22 *
+    # 1645857629 Persist Trapping: 103.66.50.44 62229 -> 195.113.252.5 445 *
+    (
+        re.compile(r'([0-9]+) (?:Capturing local|Persist Activity:|Additional Activity|Linux Persist Activity:|Persist Trapping:).*'),
+        None
    )
 )

@@ -481,6 +490,8 @@ def match_event(line):
    for labrea_re, event_tuple in RE_LIST:
        match = labrea_re.match(line)
        if match:
+            if not event_tuple:
+                return None
            return event_tuple(*match.groups())
    logging.info("Unmatched line: \"%s\"" % line.replace("\n", r"\n"))
    return None