From: Yves <f2...@ya...> - 2018-05-17 08:24:58
|
Hello Marat, On Thu, 17 May 2018, Marat Khalili wrote: > 16.05.2018 21:09, Jody Whitesides wrote: >> Actually there would be a few other attempts in between line 2 and 6 >> there. Thus, I’d like to create a filter that can figure out the hex thing >> before the 'mta event' as that is what ties the first part’s attempt to >> the fact that its failing. Then I’d like to ban that host, both the IPv4 >> and IPv6 ones that are doing what ever it is they’re attempting to do. > > You can use multiline regular expressions for the hex part. Here's one > example of how it is done (__machine, __pid1 and __pid2 all match among the > lines): > https://github.com/qm2k/burp_integration/blob/master/etc/fail2ban/filter.d/burp-auth.conf Very interesting! I did not know that Fail2ban could do that. This may indeed be the answer for Jody. This does beg these questions, though: * one for you: After Fail2ban has successfully matched the regex from line #1 to line #6, will it resume log parsing at line #6 (next byte) or #7 (next line), or will it resume log parsing at line #2? For this solution to work, it must be the latter. * one for Jody: Is there a known max number of lines you can set, to be matched by the multi-line regex? If not, you'll have to figure a compromise: too high and the performance will be degraded; too low and you will miss occurrences. > > I'd also check your IPv6 connectivity (including ICMPv6) to the client, these > timeouts are more likely caused by MTU problems than malicious intent. I wouldn't know, but if you're right, this is indeed the _first_ thing to check! :-) Regards, Yves. |