github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Filter for multi-line now stores last time match 

This is useful for log files which dont contain a date/time on every
line
pull/108/head
Steven Hiscocks 2013-01-23 18:42:25 +00:00
parent 5c7e3841e0
commit 055aeeb227
3 changed files with 16 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/filter.py
View File

@ -75,6 +75,8 @@ class Filter(JailThread):
self.__lineBufferSize = 1 self.__lineBufferSize = 1
## Line buffer ## Line buffer
self.__lineBuffer = [] self.__lineBuffer = []
## Store last time stamp, applicable for multi-line
self.__lastTimeLine = ""
self.dateDetector = DateDetector() self.dateDetector = DateDetector()
self.dateDetector.addDefaultTemplate() self.dateDetector.addDefaultTemplate()
@ -319,12 +321,13 @@ class Filter(JailThread):
if timeMatch: if timeMatch:
# Lets split into time part and log part of the line # Lets split into time part and log part of the line
timeLine = timeMatch.group() timeLine = timeMatch.group()
self.__lastTimeLine = timeLine
# Lets leave the beginning in as well, so if there is no # Lets leave the beginning in as well, so if there is no
# anchore at the beginning of the time regexp, we don't # anchore at the beginning of the time regexp, we don't
# at least allow injection. Should be harmless otherwise # at least allow injection. Should be harmless otherwise
logLine = l[:timeMatch.start()] + l[timeMatch.end():] logLine = l[:timeMatch.start()] + l[timeMatch.end():]
else: else:
timeLine = l timeLine = self.__lastTimeLine or l
logLine = l logLine = l
self.__lineBuffer = ((self.__lineBuffer + self.__lineBuffer = ((self.__lineBuffer +
[logLine])[-self.__lineBufferSize:]) [logLine])[-self.__lineBufferSize:])

20
testcases/files/testcase-multiline.log
View File

@ -1,12 +1,12 @@
Aug 14 11:59:58 [sshd] Invalid user toto... Aug 14 11:59:58 [sshd] Invalid user toto
from 212.41.96.185
Aug 14 11:59:58 [sshd] Invalid user toto
from 212.41.96.185
Aug 14 11:59:58 [sshd] Invalid user duck
from 212.41.96.185
Aug 14 11:59:58 [sshd] Invalid user toto
from 212.41.96.185
Aug 14 11:59:58 [sshd] Invalid user duck...
Aug 14 11:59:58 [sshd] from 212.41.96.185 Aug 14 11:59:58 [sshd] from 212.41.96.185
Aug 14 11:59:58 [sshd] Invalid user toto... Aug 14 11:59:58 [sshd] Invalid user duck...
Aug 14 11:59:58 [sshd] from 212.41.96.185
Aug 14 11:59:58 [sshd] Invalid user fuck...
Aug 14 11:59:58 [sshd] from 212.41.96.185
Aug 14 11:59:58 [sshd] Invalid user toto...
Aug 14 11:59:58 [sshd] from 212.41.96.185
Aug 14 11:59:58 [sshd] Invalid user fuck...
Aug 14 11:59:58 [sshd] from 212.41.96.185
Aug 14 11:59:58 [sshd] Invalid user fuck...
Aug 14 11:59:58 [sshd] from 212.41.96.185 Aug 14 11:59:58 [sshd] from 212.41.96.185

4
testcases/filtertestcase.py
View File

@ -608,8 +608,8 @@ class GetFailures(unittest.TestCase):
def testGetFailuresMultiLine(self): def testGetFailuresMultiLine(self):
output = ("212.41.96.185", 3, 1124013598.0) output = ("212.41.96.185", 3, 1124013598.0)
self.filter.addLogPath(GetFailures.FILENAME_MULTILINE) self.filter.addLogPath(GetFailures.FILENAME_MULTILINE)
self.filter.addFailRegex("Invalid user .+\n.+ from <HOST>$") self.filter.addFailRegex("Invalid user .+\n.* from <HOST>$")
self.filter.addIgnoreRegex("user fuck") self.filter.addIgnoreRegex("user duck")
self.filter.setMaxLines(2) self.filter.setMaxLines(2)