From: Yoyo Y. <yoy...@gm...> - 2013-04-17 14:41:45
|
Hello, Sorry I have another question about special characters. I hate the regular expressions :-) I tried to write a regexp to match on apache logs containing special characters. I have a problem to find the way to espace for example : = ? I tried a simple escape : \? \= I tried also \\? \\\\? I tried these actions : # cat fail2ban-regex-test 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= HTTP/1.1" 404 2396 "-" "-" "-" # fail2ban-regex fail2ban-regex-test '<HOST> - - \[.*?\] ".*(\?c_id).*".*' Running tests ============= Use regex line : <HOST> - - \[.*?\] ".*(\?c_id).*".* Use log file : fail2ban-regex-test Results ======= Failregex |- Regular expressions: | [1] <HOST> - - \[.*?\] ".*(\?c_id).*".* | `- Number of matches: [1] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. # fail2ban-regex fail2ban-regex-test '<HOST> - - \[.*?\] ".*(c_id\=).*".*' Running tests ============= Use regex line : <HOST> - - \[.*?\] ".*(c_id\=).*".* Use log file : fail2ban-regex-test Results ======= Failregex |- Regular expressions: | [1] <HOST> - - \[.*?\] ".*(c_id\=).*".* | `- Number of matches: [1] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. # Thanks a lot for your help. |
From: Fabian W. <fa...@we...> - 2013-04-17 15:20:29
|
Hello Yoyo On 17.04.2013 16:41, Yoyo Yoyomaster wrote: > # cat fail2ban-regex-test > 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET > /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= > HTTP/1.1" 404 2396 "-" "-" "-" Use a regex like this: ^<HOST> -.*"GET \/.*php\?c_id=.*$ And here is the test output (sorry for the line wrapping): fabian@superman:~ $ fail2ban-regex '8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET /components/com_jnews/includes/openflashchart/tmp-upload-images /sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= HTTP/1.1" 404 2396 "-" "-" "-"' '^<HOST> -.*"GET \/.*php\?c_id=.*$' Running tests ============= Use regex line : ^<HOST> -.*"GET \/.*php\?c_id=.*$ Use single line: 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET /com... Results ======= Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] ^<HOST> -.*"GET \/.*php\?c_id=.*$ `- Ignoreregex: 0 total Summary ======= Addresses found: [1] 8.8.8.8 (Fri Apr 12 03:05:20 2013) Date template hits: 2 hit(s): Day/MONTH/Year:Hour:Minute:Second Success, the total number of match is 1 However, look at the above section 'Running tests' which could contain important information. fabian@superman:~ $ bye Fabian |
From: Yoyo Y. <yoy...@gm...> - 2013-04-17 15:47:17
|
2013/4/17 Fabian Wenk > Hello Yoyo > > On 17.04.2013 16:41, Yoyo Yoyomaster wrote: > > > # cat fail2ban-regex-test > > 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET > > > /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= > > HTTP/1.1" 404 2396 "-" "-" "-" > > Use a regex like this: > > ^<HOST> -.*"GET \/.*php\?c_id=.*$ > > > And here is the test output (sorry for the line wrapping): > > fabian@superman:~ $ fail2ban-regex '8.8.8.8 - - > [12/Apr/2013:03:05:20 +0200] "GET > /components/com_jnews/includes/openflashchart/tmp-upload-images > /sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= HTTP/1.1" 404 2396 "-" "-" > "-"' '^<HOST> -.*"GET \/.*php\?c_id=.*$' > > Running tests > ============= > > Use regex line : ^<HOST> -.*"GET \/.*php\?c_id=.*$ > Use single line: 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET > /com... > > > Results > ======= > > Failregex: 1 total > |- #) [# of hits] regular expression > | 1) [1] ^<HOST> -.*"GET \/.*php\?c_id=.*$ > `- > > Ignoreregex: 0 total > > Summary > ======= > > Addresses found: > [1] > 8.8.8.8 (Fri Apr 12 03:05:20 2013) > > Date template hits: > 2 hit(s): Day/MONTH/Year:Hour:Minute:Second > > Success, the total number of match is 1 > > However, look at the above section 'Running tests' which could > contain important > information. > fabian@superman:~ $ > > > bye > Fabian > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > Thanks for your answer. I understand your solution. OK, that's working like that. But I would like to do multiple searchs with only one regexp. So I try to make it work with the parenthesis. So can somebody explain me why that doesn't work. In the following example, it works for a search with "select" but not with "c_id" (and so not for "?c_id" nor "c_id=") : # cat fail2ban-regex-test 8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and' HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-" 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= HTTP/1.1" 404 2396 "-" "-" "-" # fail2ban-regex fail2ban-regex-test '<HOST> - - \[.*?\] ".*(select|w00tw00t).*".*' Running tests ============= Use regex line : <HOST> - - \[.*?\] ".*(select|w00tw00t).*".* Use log file : fail2ban-regex-test Results ======= Failregex |- Regular expressions: | [1] <HOST> - - \[.*?\] ".*(select|w00tw00t).*".* | `- Number of matches: [1] 1 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 8.8.8.8 (Wed Mar 20 22:45:00 2013) Date template hits: 0 hit(s): Month Day Hour:Minute:Second 0 hit(s): Weekday Month Day Hour:Minute:Second Year 0 hit(s): Weekday Month Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 3 hit(s): Day/Month/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond] 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 Success, the total number of match is 1 However, look at the above section 'Running tests' which could contain important information. # fail2ban-regex fail2ban-regex-test '<HOST> - - \[.*?\] ".*(c_id|w00tw00t).*".*' Running tests ============= Use regex line : <HOST> - - \[.*?\] ".*(c_id|w00tw00t).*".* Use log file : fail2ban-regex-test Results ======= Failregex |- Regular expressions: | [1] <HOST> - - \[.*?\] ".*(c_id|w00tw00t).*".* | `- Number of matches: [1] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. # |
From: Fabian W. <fa...@we...> - 2013-04-17 16:51:57
|
Hello Yoyo On 17.04.2013 17:47, Yoyo Yoyomaster wrote: > Thanks for your answer. You're welcome. > I understand your solution. > OK, that's working like that. > But I would like to do multiple searchs with only one regexp. > So I try to make it work with the parenthesis. > So can somebody explain me why that doesn't work. > In the following example, it works for a search with "select" but not with > "c_id" (and so not for "?c_id" nor "c_id=") : > > # cat fail2ban-regex-test > 8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET > /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and' > HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U; > Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-" > 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET > /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= > HTTP/1.1" 404 2396 "-" "-" "-" You could use something like this: ^<HOST> -.*"GET \/.*(php\?c_id=|\(select).*$ But "both" regex are quite general, at least the first one could also match on real requests. I do not know about the second one, this depends on your web application. Eventually it is saver to make them more specific. And to be more readable, you can always use multiple lines in your filter, like this: failregex = ^<HOST> -.*"GET \/.*php\?c_id=.*$ ^<HOST> -.*"GET \/.*\(select.*$ Only the relevant output from the fail2ban-regex (it matched both log lines): Addresses found: [1] 8.8.8.8 (Wed Mar 20 22:45:00 2013) 8.8.8.8 (Fri Apr 12 03:05:20 2013) bye Fabian |
From: Yoyo Y. <yoy...@gm...> - 2013-04-18 08:10:28
|
2013/4/17 Fabian Wenk > Hello Yoyo > > On 17.04.2013 17:47, Yoyo Yoyomaster wrote: > > Thanks for your answer. > > You're welcome. > > > I understand your solution. > > OK, that's working like that. > > But I would like to do multiple searchs with only one regexp. > > So I try to make it work with the parenthesis. > > > So can somebody explain me why that doesn't work. > > In the following example, it works for a search with "select" but not > with > > "c_id" (and so not for "?c_id" nor "c_id=") : > > > > # cat fail2ban-regex-test > > 8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET > > > /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and' > > HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U; > > Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" > "-" > > 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET > > > /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= > > HTTP/1.1" 404 2396 "-" "-" "-" > > You could use something like this: > > ^<HOST> -.*"GET \/.*(php\?c_id=|\(select).*$ > > But "both" regex are quite general, at least the first one could > also match on real requests. I do not know about the second one, > this depends on your web application. Eventually it is saver to > make them more specific. And to be more readable, you can always > use multiple lines in your filter, like this: > > failregex = ^<HOST> -.*"GET \/.*php\?c_id=.*$ > ^<HOST> -.*"GET \/.*\(select.*$ > > > Only the relevant output from the fail2ban-regex (it matched both > log lines): > > Addresses found: > [1] > 8.8.8.8 (Wed Mar 20 22:45:00 2013) > 8.8.8.8 (Fri Apr 12 03:05:20 2013) > > > bye > Fabian > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > Hello, Once again thanks to take some time to help me. I saw an example of regexp here : http://blog.pastoutafait.org/billets/Prot%C3%A9ger-un-serveur-avec-Fail2ban The guy uses this type of regexp : <HOST> - - \[.*?\] ".*(PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|dbadmin|pmadb|phpmyadmin1|myadmin2).*" 301 .* I like this way to write a regexp in my case because with only one regexp I would be able to filter the great part of attacks my company's server receive. So for example, I would like to use this type of regexp : <HOST> - - \[.*?\] ".*(c_id=|concat|phpinfo|gif\.php|proxy|port=|protocol=|select\/|insert\/|update\/|delete\//from\/|=import|\*\*|w00tw00t|PMA|myadmin|mysql|mysql|sql|mypma|admin|xampp|mydb|dbadmin).*".* And so on... I want to add other patterns to increase the efficiency of the regexp. I don't really want to writer 1 regexp for 1 pattern, even if it is less readable. For the moment I try to understand why the patterns "c_id=" or "?c_id" don't match (same problem with "c_id\=", "\?c_id"). So I asked the question about how to manage special characters insite the parenthesis : (pattern1|pattern2|pattern3|...). |
From: Tom H. <to...@wh...> - 2013-04-18 09:03:20
Attachments:
signature.asc
|
On 04/18/2013 10:10 AM, Yoyo Yoyomaster wrote: > > Hello, > > Once again thanks to take some time to help me. > I saw an example of regexp here : > http://blog.pastoutafait.org/billets/Prot%C3%A9ger-un-serveur-avec-Fail2ban > The guy uses this type of regexp : > > <HOST> - - \[.*?\] ".*(PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|dbadmin|pmadb|phpmyadmin1|myadmin2).*" 301 .* > > I like this way to write a regexp in my case because with only one > regexp I would be able to filter the great part of attacks my company's > server receive. > So for example, I would like to use this type of regexp : > <HOST> - - \[.*?\] > ".*(c_id=|concat|phpinfo|gif\.php|proxy|port=|protocol=|select\/|insert\/|update\/|delete\//from\/|=import|\*\*|w00tw00t|PMA|myadmin|mysql|mysql|sql|mypma|admin|xampp|mydb|dbadmin).*".* > And so on... > I want to add other patterns to increase the efficiency of the regexp. > I don't really want to writer 1 regexp for 1 pattern, even if it is less > readable. This is a bad idea. You originally said that you are not that good with regular expressions, and now you want to make the regexes you use a lot more difficult because you want to 'optimize' stuff that probably doesn't need optimisation. Only after you see that fail2ban actually slows down because of your regexes, and you can actually prove (by profiling the code) that it's the regexes that create a performance bottleneck (and not f.i. i/o related to accessing the log files which is a low more probable), you should improve efficiency of the regexes. See [1] for details. Please write the regexes in a way that keeps them understandable to the person maintaining them (i.e. you!). In case of an emergency (f.i. a false positive), you'll need to fix the regex quickly or disable everything. You probably won't have time to consult this list for help. Also, it would be better if you'd kept separate regexes or jails for separate offences: an sql injection attack is something else than testing for a non-updated web application. It's nice to see which attacks are actually happening, and if you make one jail that blocks everything (named php-badguys-trying-all-kinds-of-shit or equivalent) you won't be able to differentiate between the different issues. [1] https://en.wikipedia.org/wiki/Program_optimization#When_to_optimize Kind regards, Tom |
From: Yoyo Y. <yoy...@gm...> - 2013-04-18 09:32:06
|
2013/4/18 Tom Hendrikx > On 04/18/2013 10:10 AM, Yoyo Yoyomaster wrote: > > > > Hello, > > > > Once again thanks to take some time to help me. > > I saw an example of regexp here : > > > http://blog.pastoutafait.org/billets/Prot%C3%A9ger-un-serveur-avec-Fail2ban > > The guy uses this type of regexp : > > > > <HOST> - - \[.*?\] > ".*(PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|dbadmin|pmadb|phpmyadmin1|myadmin2).*" > 301 .* > > > > I like this way to write a regexp in my case because with only one > > regexp I would be able to filter the great part of attacks my company's > > server receive. > > So for example, I would like to use this type of regexp : > > <HOST> - - \[.*?\] > > > ".*(c_id=|concat|phpinfo|gif\.php|proxy|port=|protocol=|select\/|insert\/|update\/|delete\//from\/|=import|\*\*|w00tw00t|PMA|myadmin|mysql|mysql|sql|mypma|admin|xampp|mydb|dbadmin).*".* > > And so on... > > I want to add other patterns to increase the efficiency of the regexp. > > I don't really want to writer 1 regexp for 1 pattern, even if it is less > > readable. > > This is a bad idea. You originally said that you are not that good with > regular expressions, and now you want to make the regexes you use a lot > more difficult because you want to 'optimize' stuff that probably > doesn't need optimisation. > Only after you see that fail2ban actually slows down because of your > regexes, and you can actually prove (by profiling the code) that it's > the regexes that create a performance bottleneck (and not f.i. i/o > related to accessing the log files which is a low more probable), you > should improve efficiency of the regexes. > > See [1] for details. > > Please write the regexes in a way that keeps them understandable to the > person maintaining them (i.e. you!). In case of an emergency (f.i. a > false positive), you'll need to fix the regex quickly or disable > everything. You probably won't have time to consult this list for help. > > Also, it would be better if you'd kept separate regexes or jails for > separate offences: an sql injection attack is something else than > testing for a non-updated web application. It's nice to see which > attacks are actually happening, and if you make one jail that blocks > everything (named php-badguys-trying-all-kinds-of-shit or equivalent) > you won't be able to differentiate between the different issues. > > [1] https://en.wikipedia.org/wiki/Program_optimization#When_to_optimize > > Kind regards, > Tom > > > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > Even with my bad english (i'm french ^^), I think I understood your point of view. My point of view was to take the IP address listed in "iptables -L -n" and then easily make a little "cat access.log | grep <IP>" to understand the reason of blacklisting this IP address. But maybe I will follow your advice separating the declaration of fail2ban filters to well identify why any IP is backlisted. Well I understood the origin of my problem. It seems that comes from the underscore character with something written after. In my example : # cat fail2ban-regex-test 8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and' HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-" 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= HTTP/1.1" 404 2396 "-" "-" "-" These regexp work : <HOST> - - \[.*?\] ".*(id=|pattern2|pattern3).*".* <HOST> - - \[.*?\] ".*(php\?|pattern2|pattern3).*".* <HOST> - - \[.*?\] ".*(\?|pattern2|pattern3).*".* <HOST> - - \[.*?\] ".*(id|pattern2|pattern3).*".* <HOST> - - \[.*?\] ".*(_|pattern2|pattern3).*".* But these regexp don't work : <HOST> - - \[.*?\] ".*(c_id|pattern2|pattern3).*".* <HOST> - - \[.*?\] ".*(_id|pattern2|pattern3).*".* <HOST> - - \[.*?\] ".*(\_id|pattern2|pattern3).*".* I don't find the solution for the moment. Does somebody know how to match inside the parentheses this pattern ? : (_id) |
From: Yoyo Y. <yoy...@gm...> - 2013-04-18 12:17:53
|
2013/4/18 Yoyo Yoyomaster > > 2013/4/18 Tom Hendrikx > >> On 04/18/2013 10:10 AM, Yoyo Yoyomaster wrote: >> > >> > Hello, >> > >> > Once again thanks to take some time to help me. >> > I saw an example of regexp here : >> > >> http://blog.pastoutafait.org/billets/Prot%C3%A9ger-un-serveur-avec-Fail2ban >> > The guy uses this type of regexp : >> > >> > <HOST> - - \[.*?\] >> ".*(PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|dbadmin|pmadb|phpmyadmin1|myadmin2).*" >> 301 .* >> > >> > I like this way to write a regexp in my case because with only one >> > regexp I would be able to filter the great part of attacks my company's >> > server receive. >> > So for example, I would like to use this type of regexp : >> > <HOST> - - \[.*?\] >> > >> ".*(c_id=|concat|phpinfo|gif\.php|proxy|port=|protocol=|select\/|insert\/|update\/|delete\//from\/|=import|\*\*|w00tw00t|PMA|myadmin|mysql|mysql|sql|mypma|admin|xampp|mydb|dbadmin).*".* >> > And so on... >> > I want to add other patterns to increase the efficiency of the regexp. >> > I don't really want to writer 1 regexp for 1 pattern, even if it is less >> > readable. >> >> This is a bad idea. You originally said that you are not that good with >> regular expressions, and now you want to make the regexes you use a lot >> more difficult because you want to 'optimize' stuff that probably >> doesn't need optimisation. >> Only after you see that fail2ban actually slows down because of your >> regexes, and you can actually prove (by profiling the code) that it's >> the regexes that create a performance bottleneck (and not f.i. i/o >> related to accessing the log files which is a low more probable), you >> should improve efficiency of the regexes. >> >> See [1] for details. >> >> Please write the regexes in a way that keeps them understandable to the >> person maintaining them (i.e. you!). In case of an emergency (f.i. a >> false positive), you'll need to fix the regex quickly or disable >> everything. You probably won't have time to consult this list for help. >> >> Also, it would be better if you'd kept separate regexes or jails for >> separate offences: an sql injection attack is something else than >> testing for a non-updated web application. It's nice to see which >> attacks are actually happening, and if you make one jail that blocks >> everything (named php-badguys-trying-all-kinds-of-shit or equivalent) >> you won't be able to differentiate between the different issues. >> >> [1] https://en.wikipedia.org/wiki/Program_optimization#When_to_optimize >> >> Kind regards, >> Tom >> >> >> >> >> ------------------------------------------------------------------------------ >> Precog is a next-generation analytics platform capable of advanced >> analytics on semi-structured data. The platform includes APIs for building >> apps and a phenomenal toolset for data science. Developers can use >> our toolset for easy data analysis & visualization. Get a free account! >> http://www2.precog.com/precogplatform/slashdotnewsletter >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> > Even with my bad english (i'm french ^^), I think I understood your point > of view. > My point of view was to take the IP address listed in "iptables -L -n" and > then easily make a little "cat access.log | grep <IP>" to understand the > reason of blacklisting this IP address. > > But maybe I will follow your advice separating the declaration of fail2ban > filters to well identify why any IP is backlisted. > > Well I understood the origin of my problem. > It seems that comes from the underscore character with something written > after. > In my example : > # cat fail2ban-regex-test > 8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET > /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and' > HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U; > Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-" > 8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET > /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs= > HTTP/1.1" 404 2396 "-" "-" "-" > These regexp work : > <HOST> - - \[.*?\] ".*(id=|pattern2|pattern3).*".* > <HOST> - - \[.*?\] ".*(php\?|pattern2|pattern3).*".* > <HOST> - - \[.*?\] ".*(\?|pattern2|pattern3).*".* > <HOST> - - \[.*?\] ".*(id|pattern2|pattern3).*".* > <HOST> - - \[.*?\] ".*(_|pattern2|pattern3).*".* > > But these regexp don't work : > <HOST> - - \[.*?\] ".*(c_id|pattern2|pattern3).*".* > <HOST> - - \[.*?\] ".*(_id|pattern2|pattern3).*".* > <HOST> - - \[.*?\] ".*(\_id|pattern2|pattern3).*".* > > > I don't find the solution for the moment. > Does somebody know how to match inside the parentheses this pattern ? > : (_id) > Ok I found the solution. It was a stupid error inside my file "fail2ban-regex-test". There was a carridge return before "HTTP/1.1". So the error was coming from this part of the regexp : ).*".*' The double quotes was not found because of the carridge return inside my second line of log of my file. This test works : fail2ban-regex fail2ban-regex-test '<HOST> - - \[.*?\] ".*(c_id=|pattern2|pattern3).*".*' Thanks for the help received. |