2013/4/17 Fabian Wenk
Hello Yoyo

On 17.04.2013 17:47, Yoyo Yoyomaster wrote:
> Thanks for your answer.

You're welcome.

> I understand your solution.
> OK, that's working like that.
> But I would like to do multiple searchs with only one regexp.
> So I try to make it work with the parenthesis.

> So can somebody explain me why that doesn't work.
> In the following example, it works for a search with "select" but not with
> "c_id" (and so not for "?c_id" nor "c_id=") :
> # cat fail2ban-regex-test
> - - [20/Mar/2013:22:45:00 +0100] "GET
> /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and'
> HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U;
> Windows NT 6.1; ru; rv: Gecko/20110614 Firefox/3.6.18 GTB7.1" "-"
> - - [12/Apr/2013:03:05:20 +0200] "GET
> /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs=
> HTTP/1.1" 404 2396 "-" "-" "-"

You could use something like this:

^<HOST> -.*"GET \/.*(php\?c_id=|\(select).*$

But "both" regex are quite general, at least the first one could
also match on real requests. I do not know about the second one,
this depends on your web application. Eventually it is saver to
make them more specific. And to be more readable, you can always
use multiple lines in your filter, like this:

failregex = ^<HOST> -.*"GET \/.*php\?c_id=.*$
             ^<HOST> -.*"GET \/.*\(select.*$

Only the relevant output from the fail2ban-regex (it matched both
log lines):

Addresses found:
[1] (Wed Mar 20 22:45:00 2013) (Fri Apr 12 03:05:20 2013)


Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Fail2ban-users mailing list


Once again thanks to take some time to help me.
I saw an example of regexp here :
The guy uses this type of regexp :
<HOST> - - \[.*?\] ".*(PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|dbadmin|pmadb|phpmyadmin1|myadmin2).*" 301 .*
I like this way to write a regexp in my case because with only one regexp I would be able to filter the great part of attacks my company's server receive.
So for example, I would like to use this type of regexp :
<HOST> - - \[.*?\] ".*(c_id=|concat|phpinfo|gif\.php|proxy|port=|protocol=|select\/|insert\/|update\/|delete\//from\/|=import|\*\*|w00tw00t|PMA|myadmin|mysql|mysql|sql|mypma|admin|xampp|mydb|dbadmin).*".*
And so on...
I want to add other patterns to increase the efficiency of the regexp.
I don't really want to writer 1 regexp for 1 pattern, even if it is less readable.
For the moment I try to understand why the patterns "c_id=" or "?c_id" don't match (same problem with "c_id\=", "\?c_id").
So I asked the question about how to manage special characters insite the parenthesis : (pattern1|pattern2|pattern3|...).