From: Fabian W. <fa...@we...> - 2013-04-17 15:20:29
|
Hello Yoyo On 17.04.2013 16:41, Yoyo Yoyomaster wrote: > # cat fail2ban-regex-test > 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET > /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= > HTTP/1.1" 404 2396 "-" "-" "-" Use a regex like this: ^<HOST> -.*"GET \/.*php\?c_id=.*$ And here is the test output (sorry for the line wrapping): fabian@superman:~ $ fail2ban-regex '8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET /components/com_jnews/includes/openflashchart/tmp-upload-images /sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= HTTP/1.1" 404 2396 "-" "-" "-"' '^<HOST> -.*"GET \/.*php\?c_id=.*$' Running tests ============= Use regex line : ^<HOST> -.*"GET \/.*php\?c_id=.*$ Use single line: 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET /com... Results ======= Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] ^<HOST> -.*"GET \/.*php\?c_id=.*$ `- Ignoreregex: 0 total Summary ======= Addresses found: [1] 8.8.8.8 (Fri Apr 12 03:05:20 2013) Date template hits: 2 hit(s): Day/MONTH/Year:Hour:Minute:Second Success, the total number of match is 1 However, look at the above section 'Running tests' which could contain important information. fabian@superman:~ $ bye Fabian |