2013/4/17 Fabian Wenk
Hello Yoyo

On 17.04.2013 16:41, Yoyo Yoyomaster wrote:

> # cat fail2ban-regex-test
> 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET
> /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs=
> HTTP/1.1" 404 2396 "-" "-" "-"

Use a regex like this:

^<HOST> -.*"GET \/.*php\?c_id=.*$


And here is the test output (sorry for the line wrapping):

fabian@superman:~ $ fail2ban-regex '8.8.8.8 - -
[12/Apr/2013:03:05:20 +0200] "GET
/components/com_jnews/includes/openflashchart/tmp-upload-images
/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= HTTP/1.1" 404 2396 "-" "-"
"-"' '^<HOST> -.*"GET \/.*php\?c_id=.*$'

Running tests
=============

Use regex line : ^<HOST> -.*"GET \/.*php\?c_id=.*$
Use single line: 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET
/com...


Results
=======

Failregex: 1 total
|- #) [# of hits] regular expression
|  1) [1] ^<HOST> -.*"GET \/.*php\?c_id=.*$
`-

Ignoreregex: 0 total

Summary
=======

Addresses found:
[1]
     8.8.8.8 (Fri Apr 12 03:05:20 2013)

Date template hits:
2 hit(s): Day/MONTH/Year:Hour:Minute:Second

Success, the total number of match is 1

However, look at the above section 'Running tests' which could
contain important
information.
fabian@superman:~ $


bye
Fabian

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

 
Thanks for your answer.
I understand your solution.
OK, that's working like that.
But I would like to do multiple searchs with only one regexp.
So I try to make it work with the parenthesis.
 
So can somebody explain me why that doesn't work.
In the following example, it works for a search with "select" but not with "c_id" (and so not for "?c_id" nor "c_id=") :
 
# cat fail2ban-regex-test
8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and' HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-"
8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs=
HTTP/1.1" 404 2396 "-" "-" "-"

# fail2ban-regex fail2ban-regex-test '<HOST> - - \[.*?\] ".*(select|w00tw00t).*".*'
Running tests
=============
Use regex line : <HOST> - - \[.*?\] ".*(select|w00tw00t).*".*
Use log file   : fail2ban-regex-test

Results
=======
Failregex
|- Regular expressions:
|  [1] <HOST> - - \[.*?\] ".*(select|w00tw00t).*".*
|
`- Number of matches:
   [1] 1 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
    8.8.8.8 (Wed Mar 20 22:45:00 2013)
Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
3 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
Success, the total number of match is 1
However, look at the above section 'Running tests' which could contain important
information.
# fail2ban-regex fail2ban-regex-test '<HOST> - - \[.*?\] ".*(c_id|w00tw00t).*".*'
Running tests
=============
Use regex line : <HOST> - - \[.*?\] ".*(c_id|w00tw00t).*".*
Use log file   : fail2ban-regex-test

Results
=======
Failregex
|- Regular expressions:
|  [1] <HOST> - - \[.*?\] ".*(c_id|w00tw00t).*".*
|
`- Number of matches:
   [1] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Sorry, no match
Look at the above section 'Running tests' which could contain important
information.
#