Taking regular expression group name contents to action #3743
-
Hi, I'm trying to figure out a way to capture a named regular expression group and add that to the actionban command. I have an IPS device that produces log entries in a sample format like so: Now the The failregex expression I have is: As you can see, I have labeled the dynamic field How do I bring that vulnerability_reason value into the actionban command? I've been struggling to find any documentation on this (if it is even possible?). Any guidance is most welcome! TIA |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
- (?P<vulnerability_reason>.*)
+ <F-vulnerability_reason>.*</F-vulnerability_reason> And then tag |
Beta Was this translation helpful? Give feedback.
And then tag
<F-vulnerability_reason>
may be used in actions.See description for
<F-*>...</F-*>
in jail.conf.5#failregex