Skip to content

fix: support IPv6 source addresses in auth log parser#32

Closed
pxivory-max wants to merge 1 commit into
profullstack:masterfrom
pxivory-max:fix/issue-28-ipv6-address-parsing
Closed

fix: support IPv6 source addresses in auth log parser#32
pxivory-max wants to merge 1 commit into
profullstack:masterfrom
pxivory-max:fix/issue-28-ipv6-address-parsing

Conversation

@pxivory-max

Copy link
Copy Markdown
Contributor

Summary

  • Widens IP_REGEX character class from IPv4-only (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) to [0-9a-fA-F.:] which covers both IPv4 and IPv6
  • Anchors capture on the trailing port keyword to avoid over-matching

Fixes #28

Gig: https://ugig.net/gigs/14eb1fad-1c95-4ba9-bd6f-5b6f9de1a664

Test plan

  • Parse Failed password for root from 2001:db8::42 port 54321 ssh2fields.ip should be "2001:db8::42"
  • Parse Failed password for root from 203.0.113.10 port 54321 ssh2fields.ip should still be "203.0.113.10"

IP_REGEX only matched IPv4 dotted-quad addresses. Widen the character
class to [0-9a-fA-F.:] and anchor on the trailing "port" keyword so
both IPv4 and IPv6 addresses are captured.

Fixes profullstack#28

Co-Authored-By: Claude <noreply@anthropic.com>
@ralyodio ralyodio closed this Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Auth log parser drops IPv6 SSH source addresses

2 participants