CODEWITHSUNDEEP
pythonregexapachefail2ban
j3141592653589793238
j3141592653589793238

Reputation: 1894

Regular Expression does not match test string

Why does the following regex not match the following text?

Regex:

\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\] ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d

Test string:

[Sun Mar 15 22:28:19.733272 2018] [:error] [pid 11954] [client 188.191.122.27:62165] [client 188.191.122.27] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 4 at TX:anomaly_score. [file ".../modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "63.60.128.135"] [uri "/phpmyadmin/phpmyadmin/index.php"] [unique_id "W0uuY3C8AA4EAA5OC7wBAAAH"]

This is a predefined rule from fail2ban and a random apache log entry with changed addresses.

At first, I thought that the mistake is that the client is logged twice, so I changed the client line: 

(\[client <HOST>(:\d{1,5})?\])+

But that didn’t seem to work either.

Just to get things clear:

 Regular expressions (failregex, ignoreregex) assume that the date/time has been removed from the log line (this is just how fail2ban works internally ATM).

 If the format is like „<date...> error 1.2.3.4 is evil“ then you need to match the < at the start so regex should be similar to „^<> <HOST> is evil$„ using <HOST> where the IP/domain name appears in the log line.

(Taken from the fail2ban docs: https://fail2ban.readthedocs.io/en/latest/filters.html) (I wrote this as code because stackoverflow seems to have problems with displaying specific characters in quotes.)

I am more or less new to regular expressions, so thanks for any help.

Upvotes: 0

Views: 796

Answers (1)

Barmar
Barmar

Reputation: 780974

You were close. When you added the repeating group for multiple clients, you didn't include the space that separates them in it.

\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])?( \[client <HOST>(:\d{1,5})?\])+ ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d

DEMO

Upvotes: 1

Related Questions