Replies: 8 comments
-
I too was bitten by this until I examined the code. If I had to define it, I would say this:
So, the Secondary benefit of <--- prefregex -->|<-- failregex ->
3-Jan-2020 myscript: Dynamic error message part |
Beta Was this translation helpful? Give feedback.
-
Since the And in our DNS community, we got many error conditions related to distributed denial-of-service attacks to define. Please feel free to expand the article. I merely wanted to get that word out. Corrections are welcome. Meanwhile I'll try and expand a few with your words by the next day. |
Beta Was this translation helpful? Give feedback.
-
Thx! Some few "objections" from my side:
Sure it is, but only if you have multiple failregex or have to implement one of pre-filtering cases mentioned in my previous comment. __prefix_line = ^(?:...)...
failregex = %(__prefix_line)s ... <HOST>$ Otherwise unnecessary providing of
No. It is not secondary but solely primary role of
This is still a part of your resulting example... I don't see that as good and necessary prefregex here, because a mandatory space can be used pretty well in failregex directly (so it can only confuse people reading that example). Still no time to make a whole review... Nevertheless it is good to have such how-to's and we'll be happy to have even more of that. |
Beta Was this translation helpful? Give feedback.
-
I’m going to have to take some timeout and redo the whole steps just using your words. So bear with me while I incorporate what makes for easier prototyping. Prototyping? Mmmm, a better title? |
Beta Was this translation helpful? Give feedback.
-
Curious, as it is currently designed, why didn’t the |
Beta Was this translation helpful? Give feedback.
-
Because common datepatterns can be used in logs where it is included in brackets or have double point after them. But it is recommended to specify own pattern, and you could indeed add |
Beta Was this translation helpful? Give feedback.
-
Looks like for Bind/named, I’m going to have to make my own date pattern that includes the ending space. Or put the starting space that into the prefregex with my own prefix_line (currently called _client), which is better? Also got that 2nd filter ready (more micro DDoS and more ISC refusal to fix). I don’t like + or *, as I prefer range-constraint curly brace set. |
Beta Was this translation helpful? Give feedback.
-
And moving the doc file to |
Beta Was this translation helpful? Give feedback.
-
@egberts
Firstly thank you for the contribution to our wiki, it looks like good described and detailed how-to for Developing Regex in Fail2ban.
But... a brief view of the page shows me several inaccuracies or even mistakes:
As regards the
datepattern
, I did not see any info that part of message matched bydatepattern
will be cut out before the message is supplied toprefregex
/failregex
(so both should not include it in its REs).This could be important.
This is not true. The default
prefregex
is empty (resulting toNone
in python), what means that it would not be applied at all.This is faster as a catch-all that you assumes (
^(?P<content>.+)$
) and don't do some other stuff prefregex serve.You can specify
prefregex
in order to:failregex
if you have more as one);failregex
) enclosed between tags<F-CONTENT>...</F-CONTENT>
;<F-MLFID>...<F-MLFID/>
tag) to identify several messages belonging to same session, where a connect message containing IP followed by failure message(s) that are not contain IP;this provides a new multi-line parsing method as replacement for old (slow an ugly) multi-line parsing using buffering window (
maxlines
> 1);failregex
search would take place.Though I understand this is just an example, but such regex's are not good as examples (especially in wiki about "Developing Regex"), because are unsafe, neither contain start- (
^
) nor end-anchor ($
), as well as contain catch-all like.+
, especially which is immediately followed by unprecise<HOST>
tag which is accepting every word as hostname.For instance, it would match first word (or here a last letter '0' because unbound and greedy
.+
eats everything else) afterquery
as DNS:One could provide better example for regex or at least use
<ADDR>
tag instead of<HOST>
, add some boundary after catch-all, and write a comment that this is just an unsafe example.The explanation following the RE example above is more confusing as helpful, in my opinion.
As already said prefregex is totally unneeded in this resulting filter, because it does not serve any need, so you could remove it here (and simply add this mandatory space directly in
failregex
).But it would make sense if you'd for example have multiple
failregex
.My few cents to the subject.
Please note that was a brief view (as often under time pressure), so maybe I could miss something...
Beta Was this translation helpful? Give feedback.
All reactions