From a93fe0f205b7ffc947ad4580966661fef045eab5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20K=C3=A1cha?= <ph@cesnet.cz>
Date: Thu, 25 Apr 2024 15:12:04 +0200
Subject: [PATCH] LaBrea: add ignored log lines
---
hp-labrea/labrea-idea.py | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/hp-labrea/labrea-idea.py b/hp-labrea/labrea-idea.py
index 71cc70b..85e3db6 100755
--- a/hp-labrea/labrea-idea.py
+++ b/hp-labrea/labrea-idea.py
@@ -466,13 +466,22 @@ RE_LIST = (
# 1493035442 Initial Connect - tarpitting: 89.163.242.15 56736 -> 195.113.254.182 9898
# 1493037991 Inbound SYN/ACK: 185.62.190.15 21001 -> 195.113.252.222 15584
(
- re.compile(r'([0-9]+) ([^:]*:) ([^ ]+) ([0-9]+) -> ([^ ]+) ([0-9]+).*'),
+ re.compile(r'([0-9]+) (Initial Connect - tarpitting:|Inbound SYN/ACK:) ([^ ]+) ([0-9]+) -> ([^ ]+) ([0-9]+).*'),
namedtuple("connect_tuple", ("timestamp", "message", "src_ip", "src_port", "tgt_ip", "tgt_port"))
),
# 1493035442 Responded to a Ping: 88.86.96.25 -> 195.113.253.87 *
(
- re.compile(r'([0-9]+) ([^:]*:) ([^ ]+) -> ([^ ]+).*'),
+ re.compile(r'([0-9]+) (Responded to a Ping:) ([^ ]+) -> ([^ ]+).*'),
namedtuple("ping_tuple", ("timestamp", "message", "src_ip", "tgt_ip"))
+ ),
+ # 1645797338 Capturing local IP 195.113.252.187
+ # 1645797339 Persist Activity: 45.227.253.45 64088 -> 195.113.254.67 3136 *
+ # 1645797340 Additional Activity 195.113.253.198
+ # 1645857629 Linux Persist Activity: 61.177.172.89 12241 -> 195.113.253.252 22 *
+ # 1645857629 Persist Trapping: 103.66.50.44 62229 -> 195.113.252.5 445 *
+ (
+ re.compile(r'([0-9]+) (?:Capturing local|Persist Activity:|Additional Activity|Linux Persist Activity:|Persist Trapping:).*'),
+ None
)
)
@@ -481,6 +490,8 @@ def match_event(line):
for labrea_re, event_tuple in RE_LIST:
match = labrea_re.match(line)
if match:
+ if not event_tuple:
+ return None
return event_tuple(*match.groups())
logging.info("Unmatched line: \"%s\"" % line.replace("\n", r"\n"))
return None
--
GitLab