From 36533de6bcf5cfa0a9c5c90d653bd0bf211ef97d Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sat, 4 Jan 2014 08:21:22 +1100
Subject: [PATCH] ENH: more filter expressions for freeswitch. Anchored
 existing one at end too

---
 config/filter.d/freeswitch.conf | 5 ++++-
 testcases/files/logs/freeswitch | 9 +++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/freeswitch.conf b/config/filter.d/freeswitch.conf
index 3835c5ad..7356286a 100644
--- a/config/filter.d/freeswitch.conf
+++ b/config/filter.d/freeswitch.conf
@@ -5,10 +5,13 @@
 
 [Definition]
 
-failregex = ^\.\d+ \[WARNING\] sofia_reg.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>
+failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
+            ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
+            ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
 
 ignoreregex =
 
 # Author: Rupa SChomaker, soapee01, Daniel Black
 # http://wiki.freeswitch.org/wiki/Fail2ban
+# Thanks to Jim on mailing list of samples and guidance
 #
diff --git a/testcases/files/logs/freeswitch b/testcases/files/logs/freeswitch
index 96e2b1cf..8b0ebec4 100644
--- a/testcases/files/logs/freeswitch
+++ b/testcases/files/logs/freeswitch
@@ -1,2 +1,11 @@
 # failJSON: { "time": "2013-12-31T17:39:54", "match": true, "host": "81.94.202.251" }
 2013-12-31 17:39:54.767815 [WARNING] sofia_reg.c:1533 SIP auth challenge (INVITE) on sofia profile 'internal' for [011448708752617@192.168.2.51] from ip 81.94.202.251
+# failJSON: { "time": "2013-12-31T17:39:54", "match": true, "host": "5.11.47.236" }
+2013-12-31 17:39:54.767815 [WARNING] sofia_reg.c:1478 SIP auth failure (INVITE) on sofia profile 'internal' for [000972543480510@192.168.2.51] from ip 5.11.47.236
+# failJSON: { "time": "2013-12-31T17:39:54", "match": true, "host": "185.24.234.141" }
+2013-12-31 17:39:54.767815 [DEBUG] sofia.c:7954 IP 185.24.234.141 Rejected by acl "domains". Falling back to Digest auth.
+
+# failJSON: { "time": "2013-12-31T17:39:54", "match": true, "host": "5.11.47.236" }
+2013-12-31 17:39:54.767815 [WARNING] sofia_reg.c:2531 Can't find user [1001@192.168.2.51] from 5.11.47.236
+# failJSON: { "time": "2013-12-31T17:39:54", "match": true, "host": "185.24.234.141" }
+2013-12-31 17:39:54.767815 [WARNING] sofia_reg.c:2531 Can't find user [100@192.168.2.51] from 185.24.234.141