-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
0.10 filter captures to actions #1698
0.10 filter captures to actions #1698
Conversation
Make the test-case fail2bangh-1685 compliant
…tion "Init" no more needed)
…ress; [action.d/complain.conf] fixed using this new tag;
…ition" (section "Init" no more needed), because of better performance with this solution;
…ecause currently used commonly in server and in client)
… cycle over all tags to re.sub with callable)
…s as interpolation options (closes fail2bangh-1110)
… of tags `<F-...>`); Closes fail2bangh-1110
…returns AF_INET family only), fix network test-cases.
Codecov Report
@@ Coverage Diff @@
## 0.10 #1698 +/- ##
=======================================
+ Coverage 94% 94.2% +0.2%
=======================================
Files 77 77
Lines 11404 11546 +142
Branches 1778 1754 -24
=======================================
+ Hits 10720 10877 +157
+ Misses 412 391 -21
- Partials 272 278 +6
Continue to review full report at Codecov.
|
…le regular expression; Some filters extended with user name; [filter.d/pam-generic.conf]: grave fix injection on user name to host fixed; test-cases in testSampleRegexsFactory can now check the captured groups (using additionally fields in failJSON structure)
949b64a
to
4ff8d05
Compare
…the convert-stream; Allow using failure-id (`<HOST>`) within `prefregex` (by common prefix for all expressions specified with `failregex`)
a543ba4
to
8bcaeb9
Compare
…ng of needed failure information to process in further lines. Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without line buffering (scrolling of the buffer-window). Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs using single-line expressions: - tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`, see sshd.conf for example) - tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info); filter.d/sshd.conf: [sshd], [sshd-ddos], [sshd-aggressive] optimized with pre-filtering using new option `prefregex` and new multi-line handling.
ec626f9
to
4efcc29
Compare
…ing, template possibility (used in new ActionInfo objects); new ActionInfo handling: saves content between actions, without interim copying (save original on demand, recoverable via reset); test cases extended
I've ported many features from my private branches, otherwise doing the further development was always needlessly complicated to me. If no objections follow, I'll merge it next week. Small info by the way about this branch:
|
…ix `<F-TUPLE_` (that would combine value of `<F-V>` with all value of <F-TUPLE_V?_n?> tags), for examples see new tests in fail2banregextestcase; closes fail2bangh-2755 (extends fail2ban#1454 and fail2ban#1698).
prefregex
for pre-filtering using single regular expression;Closes fail2ban failing on lines with many (10.000+) characters #1173
maxlines=1
, so without line buffering (scrolling of the buffer-window).Combination of tags
<F-MLFID>
and<F-NOFAIL>
can be used now to process multi-line logs using single-line expressions:<F-MLFID>
: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by<F-MLFID>(?:conn-id)</F-MLFID>
, see sshd.conf for example)<F-NOFAIL>
: used as mark for no-failure (helper to accumulate common failure-info, e. g. from lines that contain IP-address);prefregex
, and multiline filter using<F-MLFID>
+<F-NOFAIL>
combination;<F-...>
);Closes Expose filter regex group captures in actions #1110
[init]
supplied to the server from actionreader.<ip-rev>
for PTR reversed representation of IP address<ip-rev>
Closes WIP: Make Abusix lookup compatible with Dash #1685
Closes gh-1625