# sshguard - 2.4.2 - How to add new signature? - Postfix non SMTP command



## s2r (Jun 21, 2022)

Hi.
I've been seeing lately in the maillog various many scans targetting postfix/smtpd and I would like to add a new signature.


```
Jun 21 12:00:56 acme postfix/submission/smtpd[20201]: warning: non-SMTP command from unknown[170.130.187.14]: GET / HTTP/1.1
Jun 21 14:31:24 acme postfix/submission/smtpd[22074]: warning: non-SMTP command from unknown[23.224.186.214]: \001\000\000i3t\000\000\000\000\000\022\000\020\000\000\rmy.i.p.p.p\000\005\000\005\001\000\000\0\000\005\000\005\001\000\000\0
```

I read on CONTRIBUTING that I need to modify these files however I don't have enough experience programming:

src/parser/tests.txt
src/parser/attack_scanner.l
src/parser/attack_parser.y
This is part of the code for one of Postfix's attack detection parser:

```
/* postfix */
"warning: "({WORD}|{HOSTADDR})"["                               { BEGIN(postfix_loginerr); return POSTFIX_SASL_LOGINERR_PREF; }
<postfix_loginerr>"]: SASL "[-A-Z0-9]+" authentication failed".*    { BEGIN(INITIAL); return POSTFIX_SASL_LOGINERR_SUFF; }
"lost connection after AUTH from ".*"["                         { return POSTFIX_NO_AUTH_PREF; }
```

Has anybody got experience modifying those files? I don't remember much about C preprocesor syntax. Last used past century. 
The regex to match the string would be something like this in attack_scanner.l

```
"warning: non-SMTP command".*                               { BEGIN(INITIAL); return POSTFIX_NON_SMTP_CMD; }
```

In attack_parser.y I added a token POSTFIX_NON_SMTP_CMD:

```
%token POSTFIX_GREYLIST POSTFIX_GREYLIST_SUFF POSTFIX_NON_SMTP_CMD
```

Would the port maintainer be the person to go for further help?


----------



## SirDice (Jun 22, 2022)

s2r said:


> Would the port maintainer be the person to go for further help?


You can ask but don't expect any answers. Port maintainers just make sure the upstream code builds and installs on FreeBSD. They are usually not involved with the development of the code itself. I would contact the developers of sshguard though, it's their code.


----------



## CyberCr33p (Jun 22, 2022)

SirDice said:


> You can ask but don't expect any answers. Port maintainers just make sure the upstream code builds and installs on FreeBSD. They are usually not involved with the development of the code itself. I would contact the developers of sshguard though, it's their code.


sshguard port maintainer is the sshguard developer.


----------



## CyberCr33p (Jun 22, 2022)

s2r said:


> Would the port maintainer be the person to go for further help?


I recommend you to ask here: https://bitbucket.org/sshguard/sshguard/issues?status=new&status=open


----------



## SirDice (Jun 22, 2022)

CyberCr33p said:


> sshguard port maintainer is the sshguard developer.


Really? I did not know that. Not very common though, most port maintainers have little to do with the development of the port they're maintaining.


----------



## s2r (Jun 22, 2022)

I will try with mail then Bitbucket. Don't want to create another account for another service. 
Thanks!


----------

