[Fail2ban-users] fail2ban 0.6.1 and snort

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,
I have been using fail2ban for more then one year, with great satisfaction.

One of my few problems is that:

1) I always make a mess when I have to write a new rule
2) I cannot upgrade fail2ban to the last version, because I'm using
centos 4.x and I'm not too keen on keeping 2 versions of python

One of my servers had some problems during the weekend, and I'm trying
to parse snort's log too into fail2ban.

This is an example of log entries in the snort log:
12/03-08:44:23.634868  [**] [1:1201:7] ATTACK-RESPONSES 403 Forbidden
[**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
62.149.197.109:80 -> 62.213.116.249:51517
12/03-12:05:38.697901  [**] [1:2003:8] MS-SQL Worm propagation attempt
[**] [Classification: Misc Attack] [Priority: 2] {UDP}
219.133.37.41:1089 -> 62.149.202.73:1434
12/03-17:30:12.373043  [**] [1:486:4] ICMP Destination Unreachable
Communication with Destination Host is Administratively Prohibited
[**] [Classification: Misc activity] [Priority: 3] {ICMP} 79.21.69.143
-> 62.149.197.69

I have drafted a configuration, and doesn't work. Could anyone have a
look at it?

[SNORT]
enabled = true
port = httpd
logfile = /var/log/snort/alert
# 11/30-19:33:24
timeregex = \d{1,2}/\d{1,2}-\d{1,2}:\d{1,2}:\d{1,2}
timepattern = %%m/%%d%%H:%%M:%%S
failregex = \{TCP\} <host>|\{UDP\} <host>|\{ICMP\} <host>

Moreover: as snort is monitoring more than one port, I would like it
to block all the activity for an IP, when a problem is found (not just
on the http port). What would be the syntax for that?

At the present time, the chain is created, but the log is not parsed
correctly - no offending lines are found (or the ips are not parsed
correctly).

This is what I get:
Chain fail2ban-SNORT (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Any suggestions? Thanks in advance,
   Andres