From 43954692260bc57f6b7afd08115f8906b8fabce0 Mon Sep 17 00:00:00 2001
From: Joe Horn <joehorn@gmail.com>
Date: Fri, 26 Apr 2019 04:24:09 +0800
Subject: [PATCH 1/3] Update named-refused.conf

Log format changed since ver. 9.11.0
Ref. ftp://ftp.isc.org/isc/bind9/9.11.0/RELEASE-NOTES-bind-9.11.0.html
"The logging format used for querylog has been altered. It now includes an additional field indicating the address in memory of the client object processing the query."
---
 config/filter.d/named-refused.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf
index 2e14d442..989dedb4 100644
--- a/config/filter.d/named-refused.conf
+++ b/config/filter.d/named-refused.conf
@@ -34,7 +34,7 @@ __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)
 # this can be optional (for instance if we match named native log files)
 __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
 
-prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
+prefregex = ^%(__line_prefix)s( error:)?\s*client( @[0-9a-z]+)? <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
 
 failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
             ^zone transfer '\S+/AXFR/\w+' denied\s*$

From 5a3859c163e90ceab889fe355755dd99c5840b44 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <github@sebres.de>
Date: Mon, 29 Jul 2019 12:32:25 +0200
Subject: [PATCH 2/3] Update named-refused

---
 fail2ban/tests/files/logs/named-refused | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fail2ban/tests/files/logs/named-refused b/fail2ban/tests/files/logs/named-refused
index 7414a1b3..0250276c 100644
--- a/fail2ban/tests/files/logs/named-refused
+++ b/fail2ban/tests/files/logs/named-refused
@@ -23,3 +23,6 @@ Aug 17 08:20:22 catinthehat named[2954]: client 223.252.23.219#56275: zone trans
 27-Aug-2013 17:49:45.330 client 59.167.242.100#44281 (watt.kiev.ua): zone transfer 'watt.kiev.ua/AXFR/IN' denied
 # failJSON: { "time": "2004-08-27T16:58:31", "match": true , "host": "176.9.92.38" }
 Aug 27 16:58:31 vhost1-ua named[29206]: client 176.9.92.38#42592 (simmarket.com.ua): bad zone transfer request: 'simmarket.com.ua/IN': non-authoritative zone (NOTAUTH)
+
+# failJSON: { "time": "2004-08-27T16:59:00", "match": true , "host": "192.0.2.1", "desc": "new log format, 9.11.0 (#2406)" }
+Aug 27 16:59:00 host named[28098]: client @0x7f6450002ef0 192.0.2.1#23332 (example.com): bad zone transfer request: 'test.com/IN': non-authoritative zone (NOTAUTH)

From 91923b5c072fc6209a9e9aff06f91b7d896ec63f Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Mon, 29 Jul 2019 13:14:04 +0200
Subject: [PATCH 3/3] don't need to match identifier exactly (@ is precise
 enough as prefix), not capturing group; `prefregex` extended, more selective
 now (denied/NOTAUTH suffix moved from `failregex`, so no catch-all there
 anymore); update ChangeLog

---
 ChangeLog                          | 3 +++
 config/filter.d/named-refused.conf | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d152c601..d9f0f171 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -71,6 +71,9 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition
     - extended with new postfix filter mode `errors` to match "too many errors" (gh-2439),
       also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix
       parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`)
+* `filter.d/named-refused.conf`:
+    - support BIND 9.11.0 log format (includes an additional field @0xXXX..., gh-2406);
+    - `prefregex` extended, more selective now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)
 
 ### New Features
 * new failregex-flag tag `<F-MLFGAINED>` for failregex, signaled that the access to service was gained
diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf
index 989dedb4..0d5a6275 100644
--- a/config/filter.d/named-refused.conf
+++ b/config/filter.d/named-refused.conf
@@ -34,11 +34,11 @@ __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)
 # this can be optional (for instance if we match named native log files)
 __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
 
-prefregex = ^%(__line_prefix)s( error:)?\s*client( @[0-9a-z]+)? <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
+prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
 
-failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
-            ^zone transfer '\S+/AXFR/\w+' denied\s*$
-            ^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
+failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
+            ^zone transfer
+            ^bad zone transfer request: '\S+/IN': non-authoritative zone
 
 ignoreregex =