-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Postfix decoder: Making ending doubled dot optional #245
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @iasdeoupxe,
First, sorry for the late answer.
Thank you for your contribution. We are going to considerate this correction to next releases.
kind regards, Eva
I'm not absolutely sure if this is the way to go / implement this because if the ending doubled dot is there the |
Yes, you're right. I will study the way to match your log |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ending doubled dot will be added in the IP.
Thank you for your correction
Hello @iasdeoupxe, How about this regex?
If you agree you can commit it yourself Regards, Eva |
Mhhh, but this is then only catching IPv4 addresses and would miss the IPv6 ones. Not sure but we probably need to have regex which matches both? |
@iasdeoupxe |
Any suggestion for a IPv6 regex? I'm currently not even sure if such a complex regex like e.g. suggested in https://stackoverflow.com/a/17871737 is even possible with the Wazuh ruleset regex. |
No, this regex doesn't work |
So i'm currently stuck on how to proceed with this. Any suggestions on a regex which could match IPv4 AND IPv6 where the ending doubled dot could be removed? |
Could something like this working?
Description: If there is an ending dot in the regex the second one will match and isn't extracting the double dot into the IP, if there is no ending doubled dot the third regex will kick in. |
It looks indeed that this could work (ossec-logtest output with the suggested regex above).
and:
|
Changed the PR in 4cb0cc7 with the suggested change from #245 (comment). Found the log entry with the ending doubled dot in https://www.linuxquestions.org/questions/linux-server-73/how-i-can-resolve-the-error-postfix-warning-hostname-does-not-resolve-to-address-4175455058/ @Lopuiz This could be reviewed again. I have also changed the base branch to 3.10 as it seems 3.9 was already released since i had created this PR 9 months ago. |
support for IPv6 IP addresses. Updated / added log examples.
Hi! I review it as soon as possible and it will merge in 3.11. Regards, |
@Lopuiz Any updates on a review? Three months+ for such a minor change is a quite long time frame 😢 |
Dec 14 22:23:34 myhost postfix/smtpd[27266]: warning: hostname other.host does not resolve to address 1.2.3.4