Cool.. I will just not worry about it then, and if I have issues will
use the ignore option in the config file.
Thank you again for the help,
From: Justin Piszcz [mailto:jpiszcz@...
Sent: Friday, September 14, 2007 9:01 AM
To: Leyda, Matt
Subject: RE: [Fail2ban-users] regex optimization
On Fri, 14 Sep 2007, Leyda, Matt wrote:
> I was not sure if that would cause more overhead by requiring 2 regex
> be executed or if it is at no cost to the performance..
> Btw, thank you for the speedy response.. I don't think I have ever
> gotten anything back that fast before..
> -----Original Message-----
> From: Justin Piszcz [mailto:jpiszcz@...]
> Sent: Friday, September 14, 2007 8:56 AM
> To: Leyda, Matt
> Cc: fail2ban-users@...
> Subject: Re: [Fail2ban-users] regex optimization
> On Fri, 14 Sep 2007, Leyda, Matt wrote:
>> Ok, being that I am only at a beginner level with regular expression
>> (please take mercy) I am looking to see if there is a way to optimize
>> the following expression to be more efficient.
>> The data that I am going against will have lines like below:
>> warning: Connection rate limit exceeded: 5 from unknown[unknown] for
>> service smtp
>> warning: Connection rate limit exceeded: 7 from
>> for service smtp
>> The regex that I am currently using is:
>> warning: Connection rate limit exceeded: (.*) from (.*)\[<HOST>\]
>> Clearly, with the above expression it could locate items to process
>> an 'unknown' ipaddress which is not too efficient. Does anyone know
>> to exclude the items "unknown[unknown]" within the single expression?
>> have tried the examples that I found using Google and the likes, but
>> they seem to fail or do not return results.
>> Thanks for any help
> $ pwd
> # Option: ignoreregex
> # Notes.: regex to ignore. If this regex matches, the line is
> ignoreregex =3D unknown\[unknown\]
> Why not just use this?
Whether its executed twice or not is a good question, I'll leave that up
to the developer to respond to, if the ignoreregex is checked if its not
null then yeah I guess it would look it up twice; however, I also use=20
postfix and since I have implemented that I have not seen iptables
to block an unknown host anymore :)