2013/4/18 Yoyo Yoyomaster
> 2013/4/18 Tom Hendrikx
>> On 04/18/2013 10:10 AM, Yoyo Yoyomaster wrote:
>> > Hello,
>> > Once again thanks to take some time to help me.
>> > I saw an example of regexp here :
>> > The guy uses this type of regexp :
>> > <HOST> - - \[.*?\]
>> 301 .*
>> > I like this way to write a regexp in my case because with only one
>> > regexp I would be able to filter the great part of attacks my company's
>> > server receive.
>> > So for example, I would like to use this type of regexp :
>> > <HOST> - - \[.*?\]
>> > And so on...
>> > I want to add other patterns to increase the efficiency of the regexp.
>> > I don't really want to writer 1 regexp for 1 pattern, even if it is less
>> > readable.
>> This is a bad idea. You originally said that you are not that good with
>> regular expressions, and now you want to make the regexes you use a lot
>> more difficult because you want to 'optimize' stuff that probably
>> doesn't need optimisation.
>> Only after you see that fail2ban actually slows down because of your
>> regexes, and you can actually prove (by profiling the code) that it's
>> the regexes that create a performance bottleneck (and not f.i. i/o
>> related to accessing the log files which is a low more probable), you
>> should improve efficiency of the regexes.
>> See  for details.
>> Please write the regexes in a way that keeps them understandable to the
>> person maintaining them (i.e. you!). In case of an emergency (f.i. a
>> false positive), you'll need to fix the regex quickly or disable
>> everything. You probably won't have time to consult this list for help.
>> Also, it would be better if you'd kept separate regexes or jails for
>> separate offences: an sql injection attack is something else than
>> testing for a non-updated web application. It's nice to see which
>> attacks are actually happening, and if you make one jail that blocks
>> everything (named php-badguys-trying-all-kinds-of-shit or equivalent)
>> you won't be able to differentiate between the different issues.
>>  https://en.wikipedia.org/wiki/Program_optimization#When_to_optimize
>> Kind regards,
>> Precog is a next-generation analytics platform capable of advanced
>> analytics on semi-structured data. The platform includes APIs for building
>> apps and a phenomenal toolset for data science. Developers can use
>> our toolset for easy data analysis & visualization. Get a free account!
>> Fail2ban-users mailing list
> Even with my bad english (i'm french ^^), I think I understood your point
> of view.
> My point of view was to take the IP address listed in "iptables -L -n" and
> then easily make a little "cat access.log | grep <IP>" to understand the
> reason of blacklisting this IP address.
> But maybe I will follow your advice separating the declaration of fail2ban
> filters to well identify why any IP is backlisted.
> Well I understood the origin of my problem.
> It seems that comes from the underscore character with something written
> In my example :
> # cat fail2ban-regex-test
> 126.96.36.199 - - [20/Mar/2013:22:45:00 +0100] "GET
> HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U;
> Windows NT 6.1; ru; rv:188.8.131.52) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-"
> 184.108.40.206 - - [12/Apr/2013:03:05:20 +0200] "GET
> HTTP/1.1" 404 2396 "-" "-" "-"
> These regexp work :
> <HOST> - - \[.*?\] ".*(id=|pattern2|pattern3).*".*
> <HOST> - - \[.*?\] ".*(php\?|pattern2|pattern3).*".*
> <HOST> - - \[.*?\] ".*(\?|pattern2|pattern3).*".*
> <HOST> - - \[.*?\] ".*(id|pattern2|pattern3).*".*
> <HOST> - - \[.*?\] ".*(_|pattern2|pattern3).*".*
> But these regexp don't work :
> <HOST> - - \[.*?\] ".*(c_id|pattern2|pattern3).*".*
> <HOST> - - \[.*?\] ".*(_id|pattern2|pattern3).*".*
> <HOST> - - \[.*?\] ".*(\_id|pattern2|pattern3).*".*
> I don't find the solution for the moment.
> Does somebody know how to match inside the parentheses this pattern ?
> : (_id)
Ok I found the solution.
It was a stupid error inside my file "fail2ban-regex-test".
There was a carridge return before "HTTP/1.1".
So the error was coming from this part of the regexp :
The double quotes was not found because of the carridge return inside my
second line of log of my file.
This test works :
fail2ban-regex fail2ban-regex-test '<HOST> - - \[.*?\]
Thanks for the help received.