Merge branch 'sample-log-meta-data'

Conflicts:
    testcases/files/logs/dovecot

fail2ban-testcases

@@ -27,6 +27,14 @@ __license__ = "GPL"
 
 import unittest, logging, sys, time, os
 
+if sys.version_info >= (2, 6):
+	import json
+else:
+	try:
+		import simplejson as json
+	except ImportError:
+		json = None
+
 from common.version import version
 from testcases import banmanagertestcase
 from testcases import clientreadertestcase
@@ -37,6 +45,8 @@ from testcases import datedetectortestcase
 from testcases import actiontestcase
 from testcases import sockettestcase
 from testcases import misctestcase
+if json:
+	from testcases import samplestestcase
 
 from testcases.utils import FormatterWithTraceBack
 from server.mytime import MyTime
@@ -170,6 +180,11 @@ tests.addTest(unittest.makeSuite(filtertestcase.JailTests))
 
 # DateDetector
 tests.addTest(unittest.makeSuite(datedetectortestcase.DateDetectorTest))
+if json:
+	# Filter Regex tests with sample logs
+	tests.addTest(unittest.makeSuite(samplestestcase.FilterSamplesRegex))
+else:
+	print "I: Skipping filter samples testing. No simplejson/json module"
 
 #
 # Extensive use-tests of different available filters backends

server/filter.py

@@ -284,7 +284,7 @@ class Filter(JailThread):
 		return False
 
 
-	def processLine(self, line):
+	def processLine(self, line, returnRawHost=False):
 		"""Split the time portion from log msg and return findFailures on them
 		"""
 		try:
@@ -306,7 +306,7 @@ class Filter(JailThread):
 		else:
 			timeLine = l
 			logLine = l
-		return self.findFailure(timeLine, logLine)
+		return self.findFailure(timeLine, logLine, returnRawHost)
 
 	def processLineAndAdd(self, line):
 		"""Processes the line for failures and populates failManager
@@ -348,7 +348,7 @@ class Filter(JailThread):
 	# to find the logging time.
 	# @return a dict with IP and timestamp.
 
-	def findFailure(self, timeLine, logLine):
+	def findFailure(self, timeLine, logLine, returnRawHost=False):
 		failList = list()
 		# Checks if we must ignore this line.
 		if self.ignoreLine(logLine):
@@ -371,6 +371,9 @@ class Filter(JailThread):
 				else:
 					try:
 						host = failRegex.getHost()
+						if returnRawHost:
+							failList.append([host, date])
+							break
 						ipMatch = DNSUtils.textToIp(host, self.__useDns)
 						if ipMatch:
 							for ip in ipMatch:

testcases/files/logs/3proxy

@@ -1,3 +1,6 @@
+# failJSON: { "time": "2013-06-11T02:09:40", "match": true , "host": "1.2.3.4" }
 11-06-2013 02:09:40 +0300 PROXY.3128 00004 - 1.2.3.4:28783 0.0.0.0:0 0 0 0 GET http://www.yandex.ua/?ncrnd=2169807731 HTTP/1.1
+# failJSON: { "time": "2013-06-11T02:09:43", "match": true , "host": "1.2.3.4" }
 11-06-2013 02:09:43 +0300 PROXY.3128 00005 ewr 1.2.3.4:28788 0.0.0.0:0 0 0 0 GET http://www.yandex.ua/?ncrnd=2169807731 HTTP/1.1
+# failJSON: { "time": "2013-06-13T01:39:34", "match": true , "host": "1.2.3.4" }
 13-06-2013 01:39:34 +0300 PROXY.3128 00508 - 1.2.3.4:28938 0.0.0.0:0 0 0 0 

testcases/files/logs/apache-auth

@@ -1,5 +1,7 @@
 # Should not match -- DoS vector https://vndh.net/note:fail2ban-089-denial-service
+# failJSON: { "match": false }
 [Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found
 
 # should match
+# failJSON: { "time": "2005-06-01T02:17:42", "match": true , "host": "192.168.0.2" }
 [Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found

testcases/files/logs/apache-nohome

@@ -1,4 +1,6 @@
 # Apache 2.2
+# failJSON: { "time": "2005-06-01T11:23:08", "match": true , "host": "1.2.3.4" }
 [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4] File does not exist: /xxx/~
 # Apache 2.4
+# failJSON: { "time": "2005-06-27T11:55:44", "match": true , "host": "192.0.2.12" }
 [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 192.0.2.12:46652] AH00128: File does not exist: /xxx/~

testcases/files/logs/apache-noscript

@@ -1 +1,2 @@
+# failJSON: { "time": "2005-06-09T07:57:47", "match": true , "host": "192.0.43.10" }
 [Sun Jun 09 07:57:47 2013] [error] [client 192.0.43.10] script '/usr/lib/cgi-bin/gitweb.cgiwp-login.php' not found or unable to stat

testcases/files/logs/apache-overflows

@@ -1,2 +1,4 @@
+# failJSON: { "time": "2005-03-16T15:39:29", "match": true , "host": "58.179.109.179" }
 [Tue Mar 16 15:39:29 2010] [error] [client 58.179.109.179] Invalid URI in request \xf9h\xa9\xf3\x88\x8cXKj \xbf-l*4\x87n\xe4\xfe\xd4\x1d\x06\x8c\xf8m\\rS\xf6n\xeb\x8
+# failJSON: { "time": "2005-03-15T15:44:47", "match": true , "host": "121.222.2.133" }
 [Mon Mar 15 15:44:47 2010] [error] [client 121.222.2.133] Invalid URI in request n\xed*\xbe*\xab\xefd\x80\xb5\xae\xf6\x01\x10M?\xf2\xce\x13\x9c\xd7\xa0N\xa7\xdb%0\xde\xe0\xfc\xd2\xa0\xfe\xe9w\xee\xc4`v\x9b[{\x0c:\xcb\x93\xc6\xa0\x93\x9c`l\\\x8d\xc9

testcases/files/logs/assp

@@ -1,13 +1,25 @@
+# failJSON: { "time": "2013-04-07T07:08:36", "match": true , "host": "68.171.223.68" }
 Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+# failJSON: { "time": "2013-04-07T07:08:36", "match": true , "host": "68.171.223.68" }
 Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+# failJSON: { "time": "2013-04-07T07:10:37", "match": true , "host": "68.171.223.68" }
 Apr-07-13 07:10:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+# failJSON: { "time": "2013-04-07T07:12:37", "match": true , "host": "68.171.223.68" }
 Apr-07-13 07:12:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+# failJSON: { "time": "2013-04-07T07:14:36", "match": true , "host": "68.171.223.68" }
 Apr-07-13 07:14:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+# failJSON: { "time": "2013-04-27T02:25:09", "match": true , "host": "217.194.197.97" }
 Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (8);
+# failJSON: { "time": "2013-04-27T02:25:09", "match": true , "host": "217.194.197.97" }
 Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (9);
+# failJSON: { "time": "2013-04-27T02:25:09", "match": true , "host": "217.194.197.97" }
 Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (10);
+# failJSON: { "time": "2013-04-27T02:25:10", "match": true , "host": "217.194.197.97" }
 Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+# failJSON: { "time": "2013-04-27T02:25:10", "match": true , "host": "217.194.197.97" }
 Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+# failJSON: { "time": "2013-04-27T02:25:10", "match": true , "host": "217.194.197.97" }
 Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+# failJSON: { "time": "2013-04-27T02:25:11", "match": true , "host": "217.194.197.97" }
 Apr-27-13 02:25:11 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
 

testcases/files/logs/asterisk

@@ -1,22 +1,40 @@
 # Sample log files for asterisk 
+# failJSON: { "time": "2012-02-13T17:21:54", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Wrong password
+# failJSON: { "time": "2012-02-13T17:18:22", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - No matching peer found
+# failJSON: { "time": "2012-02-13T17:21:21", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Username/auth name mismatch
+# failJSON: { "time": "2012-02-13T17:32:01", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Device does not match ACL
+# failJSON: { "time": "2012-02-13T17:34:10", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Peer is not supposed to register
+# failJSON: { "time": "2012-02-13T17:36:23", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - ACL error (permit/deny)
+# failJSON: { "time": "2012-02-13T17:53:59", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:53:59] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed to authenticate as 'Fail2ban'
+# failJSON: { "time": "2012-02-13T17:39:20", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4)
+# failJSON: { "time": "2012-02-13T17:44:26", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247)
+# failJSON: { "time": "2012-02-13T17:37:07", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" <sip:301@1.2.3.4>;tag=1r698745234
+# failJSON: { "time": "2013-02-05T23:44:42", "match": true , "host": "1.2.3.4" }
 [2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'.
+# failJSON: { "time": "2013-03-26T15:47:54", "match": true , "host": "1.2.3.4" }
 [2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@1.2.3.4' failed for '1.2.3.4:23930' - No matching peer found
+# failJSON: { "time": "2013-05-13T07:10:53", "match": true , "host": "1.2.3.4" }
 [2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/1.2.3.4/5070"
+# failJSON: { "time": "2013-06-10T18:15:03", "match": true , "host": "1.2.3.4" }
 [2013-06-10 18:15:03] NOTICE[2723] chan_sip.c: Registration from '"100"<sip:100@192.168.0.2:5060>' failed for '1.2.3.4' - Not a local domain
 # http://forum.4psa.com/showthread.php?t=6601
+# failJSON: { "time": "2009-12-22T16:35:24", "match": true , "host": "192.168.2.102" }
 [2009-12-22 16:35:24] NOTICE[6163] chan_sip.c: Sending fake auth rejection for device <sip:0004*001@192.168.2.102>;tag=e3793a95e1acbc69o
 # http://www.freepbx.org/forum/general-help/fake-auth-rejection
+# failJSON: { "time": "2009-12-22T16:35:24", "match": true , "host": "192.168.2.102" }
 [2009-12-22 16:35:24] NOTICE[1570][C-00000086] chan_sip.c: Sending fake auth rejection for device 1022<sip:1022@192.168.2.102>;tag=5d8b6f92
 # http://www.spinics.net/lists/asterisk/msg127381.html
+# failJSON: { "time": "2009-12-22T16:35:24", "match": true , "host": "192.168.2.102" }
 [2009-12-22 16:35:24] NOTICE[14916]: chan_sip.c:15644 handle_request_subscribe: Sending fake auth rejection for user <sip:CS@192.168.2.102>;tag=6pwd6erg54
+# failJSON: { "time": "2013-07-06T09:09:25", "match": true , "host": "141.255.164.106" }
 [2013-07-06 09:09:25] SECURITY[3308] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1373098165-824497",Severity="Error",Service="SIP",EventVersion="2",AccountID="972592891005",SessionID="0x88aab6c",LocalAddress="IPV4/UDP/92.28.73.180/5060",RemoteAddress="IPV4/UDP/141.255.164.106/5084",Challenge="41d26de5",ReceivedChallenge="41d26de5",ReceivedHash="7a6a3a2e95a05260aee612896e1b4a39"

testcases/files/logs/dovecot

@@ -1,18 +1,31 @@
+# failJSON: { "time": "2010-09-16T07:51:00", "match": true , "host": "80.187.101.33" }
 @400000004c91b044077a9e94 imap-login: Info: Aborted login (auth failed, 1 attempts): user=<martin@waschbuesch.de>, method=CRAM-MD5, rip=80.187.101.33, lip=80.254.129.240, TLS
 
-@e040c6d8a3bfa62d358083300119c259cd44dcd0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=web rhost=176.61.140.224
+# failJSON: { "time": "2010-09-16T07:51:00", "match": true , "host": "176.61.140.224" }
+@400000004c91b044077a9e94 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=web rhost=176.61.140.224
 # Above example with injected rhost into ruser -- should not match for 1.2.3.4
-@e040c6d8a3bfa62d358083300119c259cd44dcd0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=rhost=1.2.3.4 rhost=192.0.43.10
-@e040c6d8a3bfa62d358083300119c259cd44dcd0 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=root rhost=176.61.140.225  user=root
+# failJSON: { "time": "2010-09-16T07:51:00", "match": true , "host": "192.0.43.10" }
+@400000004c91b044077a9e94 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=rhost=1.2.3.4 rhost=192.0.43.10
+# failJSON: { "time": "2010-09-16T07:51:00", "match": true , "host": "176.61.140.225" }
+@400000004c91b044077a9e94 dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=root rhost=176.61.140.225  user=root
 
+# failJSON: { "time": "2004-12-12T11:19:11", "match": true , "host": "190.210.136.21" }
 Dec 12 11:19:11 dunnart dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=190.210.136.21, lip=113.212.99.193
 
+# failJSON: { "time": "2005-06-13T16:30:54", "match": true , "host": "49.176.98.87" }
 Jun 13 16:30:54 platypus dovecot: imap-login: Disconnected (auth failed, 2 attempts): user=<username.bob>, method=PLAIN, rip=49.176.98.87, lip=113.212.99.194, TLS
+# failJSON: { "time": "2005-06-14T00:48:21", "match": true , "host": "59.167.242.100" }
 Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=PLAIN, rip=59.167.242.100, lip=113.212.99.194, TLS: Disconnected
+# failJSON: { "time": "2005-06-13T20:48:11", "match": true , "host": "121.44.24.254" }
 Jun 13 20:48:11 platypus dovecot: pop3-login: Disconnected (no auth attempts): rip=121.44.24.254, lip=113.212.99.194, TLS: Disconnected
+# failJSON: { "time": "2005-06-13T21:48:06", "match": true , "host": "180.200.180.81" }
 Jun 13 21:48:06 platypus dovecot: pop3-login: Disconnected: Inactivity (no auth attempts): rip=180.200.180.81, lip=113.212.99.194, TLS
+# failJSON: { "time": "2005-06-13T20:20:21", "match": true , "host": "180.189.168.166" }
 Jun 13 20:20:21 platypus dovecot: imap-login: Disconnected (no auth attempts): rip=180.189.168.166, lip=113.212.99.194, TLS handshaking: Disconnected
+# failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" }
 Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210
 
+# failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" }
 Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
+# failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "192.51.100.13" }
 Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session=<LgDINsQCkttVIMPg>

testcases/files/logs/exim

@@ -1,19 +1,31 @@
 # From IRC 2013-01-04
+# failJSON: { "time": "2013-01-04T17:03:46", "match": true , "host": "24.106.174.74" }
 2013-01-04 17:03:46 login authenticator failed for rrcs-24-106-174-74.se.biz.rr.com ([192.168.2.33]) [24.106.174.74]: 535 Incorrect authentication data (set_id=brian)
 # From IRC 2013-06-13 XATRIX (Georgiy Mernov)
+# failJSON: { "time": "2013-06-12T03:57:58", "match": true , "host": "120.196.140.45" }
 2013-06-12 03:57:58 login authenticator failed for (ylmf-pc) [120.196.140.45]: 535 Incorrect authentication data: 1 Time(s)
+# failJSON: { "time": "2013-06-12T13:18:11", "match": true , "host": "101.66.165.86" }
 2013-06-12 13:18:11 login authenticator failed for (USER-KVI9FGS9KP) [101.66.165.86]: 535 Incorrect authentication data
+# failJSON: { "time": "2013-06-10T10:10:59", "match": true , "host": "193.169.56.211" }
 2013-06-10 10:10:59 H=ufficioestampa.it (srv.ufficioestampa.it) [193.169.56.211] sender verify fail for <user@example.com>: Unrouteable address
 # http://forum.lissyara.su/viewtopic.php?f=20&t=29857
 # 2010-11-24 21:48:41 1PLKOW-00046U-EW F=wvhluo@droolindog.com H=93-143-146-237.adsl.net.t-com.hr (droolindog.com) [93.143.146.237] I=[10.10.10.32]:25 P=esmtp temporarily rejected by local_scan(): Temporary local problem
 # http://us.generation-nt.com/answer/exim-spamassassin-2010-0-x64-help-204020461.html
 # 2011-07-07 15:44:16 1QexIu-0006dj-PX F=XXXXXX@XXXXXXXXXXXX H=localhost (saf.bio.caltech.edu) [127.0.0.1] P=esmtp temporarily rejected by local_scan(): Local configuration error - local_scan() library failure/usr/lib/exim/sa-exim.so: cannot open shared object file: No such file or directory
+# failJSON: { "time": "2013-06-10T18:33:32", "match": true , "host": "202.132.70.178" }
 2013-06-10 18:33:32 [10099] H=(yakult.com.tw) [202.132.70.178]:3755 I=[1.2.3.4]:25 F=menacedsj04@listserv.eurasia.org rejected RCPT dir@ml3.ru: relay not permitted
+# failJSON: { "time": "2013-06-02T06:54:20", "match": true , "host": "211.148.195.192" }
 2013-06-02 06:54:20 [13314] SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[211.148.195.192]:25936 I=[1.2.3.4]:25 input="GET / HTTP/1.1\r\n\r\n"
+# failJSON: { "time": "2013-06-02T09:05:48", "match": true , "host": "82.96.160.77" }
 2013-06-02 09:05:48 [18505] SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "RSET" H=ba77.mx83.fr [82.96.160.77]:58302 I=[1.2.3.4]:25 next input="QUIT\r\n"
+# failJSON: { "time": "2013-06-02T09:22:05", "match": true , "host": "163.14.21.161" }
 2013-06-02 09:22:05 [19591] SMTP call from pc012-6201.spo.scu.edu.tw [163.14.21.161]:3767 I=[1.2.3.4]:25 dropped: too many nonmail commands (last was "RSET")
+# failJSON: { "time": "2013-06-02T15:06:18", "match": true , "host": "46.20.35.114" }
 2013-06-02 15:06:18 H=(VM-WIN2K3-1562) [46.20.35.114] sender verify fail for <usfh@technological-systems.com>: Unknown user
+# failJSON: { "time": "2013-06-07T02:02:09", "match": true , "host": "91.232.21.92" }
 2013-06-07 02:02:09 H=treeladders.kiev.ua [91.232.21.92] sender verify fail for <mailer@treeladders.kiev.ua>: all relevant MX records point to non-existent hosts
+# failJSON: { "time": "2013-06-15T16:34:55", "match": true , "host": "182.18.24.93" }
 2013-06-15 16:34:55 H=mx.tillions.com [182.18.24.93] F=<buh@caladan.ebay.sun.com> rejected RCPT <ruslan@maslovskiy.com.ua>: Sender verify failed
+# failJSON: { "time": "2013-06-15T16:36:49", "match": true , "host": "111.67.203.116" }
 2013-06-15 16:36:49 H=altmx.marsukov.com [111.67.203.116] F=<kadrofutcheti@mail.ru> rejected RCPT <oksana@birzhatm.ua>: Unknown user
 

testcases/files/logs/exim-spam

@@ -3,10 +3,15 @@
 # http://us.generation-nt.com/answer/exim-spamassassin-2010-0-x64-help-204020461.html
 # 2011-07-07 15:44:16 1QexIu-0006dj-PX F=XXXXXX@XXXXXXXXXXXX H=localhost (saf.bio.caltech.edu) [127.0.0.1] P=esmtp temporarily rejected by local_scan(): Local configuration error - local_scan() library failure/usr/lib/exim/sa-exim.so: cannot open shared object file: No such file or directory
 # http://www.clues.ltd.uk/howto/debian-sa-fprot-HOWTO.html
+# failJSON: { "time": "2004-01-18T07:15:35", "match": true , "host": "4.47.28.40" }
 2004-01-18 07:15:35 1Ai79e-0000Dq-8i F=uzwltcmwto24@melissacam.biz H=lsanca1-ar3-4-47-028-040.lsanca1.elnk.dsl.genuity.net [4.47.28.40] P=smtp rejected by local_scan(): Rejected: hits=7.5 required=5.0 trigger=5.0
 # https://github.com/fail2ban/fail2ban/pull/251#issuecomment-19493875
+# failJSON: { "time": "2013-06-15T11:19:33", "match": true , "host": "2.181.148.95" }
 2013-06-15 11:19:33 [2249] H=([2.181.148.95]) [2.181.148.95]:52391 I=[1.2.3.4]:25 F=fantasizesg4@google.com rejected RCPT some@email.com: rejected found in dnsbl zen.spamhaus.org
+# failJSON: { "time": "2013-06-09T10:21:28", "match": true , "host": "46.254.240.82" }
 2013-06-09 10:21:28 [14127] 1UlasQ-0003fr-45 F=mcorporation4@aol.com H=(mail38.fssprus.ru) [46.254.240.82]:43671 I=[1.2.3.4]:25 P=esmtp rejected by local_scan(): Rejected
+# failJSON: { "time": "2013-06-15T11:20:36", "match": true , "host": "83.235.177.148" }
 2013-06-15 11:20:36 [2516] 1Unmew-0000ea-SE H=egeftech.static.otenet.gr [83.235.177.148]:32706 I=[1.2.3.4]:25 F=auguriesvbd40@google.com rejected after DATA: This message contains a virus (Sanesecurity.Junk.39934.UNOFFICIAL).
+# failJSON: { "time": "2013-06-16T02:50:43", "match": true , "host": "111.67.203.114" }
 2013-06-16 02:50:43 H=dbs.marsukov.com [111.67.203.114] F=<trudofspiori@mail.ru> rejected RCPT <info@nanomedtech.ua>: rejected because 111.67.203.114 is in a black list at dnsbl.sorbs.net\nCurrently Sending Spam See: http://www.sorbs.net/lookup.shtml?111.67.203.114
 

testcases/files/logs/lighttpd-auth

@@ -1,3 +1,5 @@
 #authentification failure (mod_auth)
+# failJSON: { "time": "2011-12-25T17:09:20", "match": true , "host": "4.4.4.4" }
 2011-12-25 17:09:20: (http_auth.c.875) password doesn't match for /gitweb/ username: francois, IP: 4.4.4.4
+# failJSON: { "time": "2012-09-26T10:24:35", "match": true , "host": "4.4.4.4" }
 2012-09-26 10:24:35: (http_auth.c.1136) digest: auth failed for  xxx : wrong password, IP: 4.4.4.4

testcases/files/logs/mysqld-auth

@@ -1,6 +1,12 @@
+# failJSON: { "time": "2013-03-24T00:04:00", "match": true , "host": "192.168.1.35" }
 130324  0:04:00 [Warning] Access denied for user 'root'@'192.168.1.35' (using password: NO)
+# failJSON: { "time": "2013-03-24T08:24:09", "match": true , "host": "220.95.238.171" }
 130324  8:24:09 [Warning] Access denied for user 'root'@'220.95.238.171' (using password: NO)
+# failJSON: { "time": "2013-03-24T17:56:13", "match": true , "host": "61.160.223.112" }
 130324 17:56:13 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: NO)
+# failJSON: { "time": "2013-03-24T17:56:14", "match": true , "host": "61.160.223.112" }
 130324 17:56:14 [Warning] Access denied for user 'root'@'61.160.223.112' (using password: YES)
+# failJSON: { "time": "2013-03-24T19:01:39", "match": true , "host": "61.147.108.35" }
 130324 19:01:39 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: NO)
+# failJSON: { "time": "2013-03-24T19:01:40", "match": true , "host": "61.147.108.35" }
 130324 19:01:40 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES)

testcases/files/logs/named-refused

@@ -1,6 +1,12 @@
+# failJSON: { "time": "2005-07-24T14:16:55", "match": true , "host": "194.145.196.18" }
 Jul 24 14:16:55 raid5 named[3935]: client 194.145.196.18#4795: query 'ricreig.com/NS/IN' denied
+# failJSON: { "time": "2005-07-24T14:16:56", "match": true , "host": "62.123.164.113" }
 Jul 24 14:16:56 raid5 named[3935]: client 62.123.164.113#32768: query 'ricreig.com/NS/IN' denied
+# failJSON: { "time": "2005-07-24T14:17:13", "match": true , "host": "148.160.29.6" }
 Jul 24 14:17:13 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'geo-mueller.de/NS/IN' denied
+# failJSON: { "time": "2005-07-24T14:20:25", "match": true , "host": "148.160.29.6" }
 Jul 24 14:20:25 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'shivaree.de/NS/IN' denied
+# failJSON: { "time": "2005-07-24T14:23:36", "match": true , "host": "148.160.29.6" }
 Jul 24 14:23:36 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'mietberatung.de/NS/IN' denied
+# failJSON: { "time": "2005-07-24T14:23:36", "match": true , "host": "62.109.4.89" }
 Jul 24 14:23:36 raid5 named[3935]: client 62.109.4.89#9334: view external: query (cache) './NS/IN' denied

testcases/files/logs/pam-generic

@@ -1,7 +1,14 @@
+# failJSON: { "time": "2005-02-07T15:10:42", "match": true , "host": "192.168.1.1" }
 Feb  7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1 
+# failJSON: { "time": "2005-05-12T09:47:54", "match": true , "host": "71-13-115-12.static.mdsn.wi.charter.com" }
 May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com  user=root
+# failJSON: { "time": "2005-05-12T09:48:03", "match": true , "host": "71-13-115-12.static.mdsn.wi.charter.com" }
 May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com
+# failJSON: { "time": "2005-05-15T18:02:12", "match": true , "host": "66.232.129.62" }
 May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62  user=mark
+# failJSON: { "time": "2004-11-25T17:12:13", "match": true , "host": "192.168.10.3" }
 Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser
+# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www3.google.com" }
 Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com
+# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www3.google.com" }
 Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com

testcases/files/logs/postfix

@@ -1,3 +1,4 @@
 # per https://github.com/fail2ban/fail2ban/issues/125
 # and https://github.com/fail2ban/fail2ban/issues/126
+# failJSON: { "time": "2005-02-21T09:21:54", "match": true , "host": "192.0.43.10" }
 Feb 21 09:21:54 xxx postfix/smtpd[14398]: NOQUEUE: reject: RCPT from example.com[192.0.43.10]: 450 4.7.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo=

testcases/files/logs/proftpd

@@ -1,8 +1,14 @@
+# failJSON: { "time": "2005-01-10T00:00:00", "match": true , "host": "123.123.123.123" }
 Jan 10 00:00:00 myhost proftpd[12345] myhost.domain.com (123.123.123.123[123.123.123.123]): USER username (Login failed): User in /etc/ftpusers
+# failJSON: { "time": "2005-02-01T00:00:00", "match": true , "host": "123.123.123.123" }
 Feb 1 00:00:00 myhost proftpd[12345] myhost.domain.com (123.123.123.123[123.123.123.123]): USER username: no such user found from 123.123.123.123 [123.123.123.123] to 234.234.234.234:21 
+# failJSON: { "time": "2005-06-09T07:30:58", "match": true , "host": "67.227.224.66" }
 Jun 09 07:30:58 platypus.ace-hosting.com.au proftpd[11864] platypus.ace-hosting.com.au (mail.bloodymonster.net[::ffff:67.227.224.66]): USER username (Login failed): Incorrect password.
+# failJSON: { "time": "2005-06-09T11:15:43", "match": true , "host": "101.71.143.238" }
 Jun 09 11:15:43 platypus.ace-hosting.com.au proftpd[17424] platypus.ace-hosting.com.au (::ffff:101.71.143.238[::ffff:101.71.143.238]): USER god: no such user found from ::ffff:101.71.143.238 [::ffff:101.71.143.238] to ::ffff:123.212.99.194:21
+# failJSON: { "time": "2005-06-13T22:07:23", "match": true , "host": "59.167.242.100" }
 Jun 13 22:07:23 platypus.ace-hosting.com.au proftpd[15719] platypus.ace-hosting.com.au (::ffff:59.167.242.100[::ffff:59.167.242.100]): SECURITY VIOLATION: root login attempted.
+# failJSON: { "time": "2005-06-14T00:09:59", "match": true , "host": "59.167.242.100" }
 Jun 14 00:09:59 platypus.ace-hosting.com.au proftpd[17839] platypus.ace-hosting.com.au (::ffff:59.167.242.100[::ffff:59.167.242.100]): USER platypus.ace-hosting.com.au proftpd[17424] platypus.ace-hosting.com.au (hihoinjection[1.2.3.44]): no such user found from ::ffff:59.167.242.100 [::ffff:59.167.242.100] to ::ffff:113.212.99.194:21
 
 

testcases/files/logs/pure-ftpd

@@ -1,2 +1,4 @@
+# failJSON: { "time": "2005-01-31T16:54:07", "match": true , "host": "24.79.92.194" }
 Jan 31 16:54:07 desktop pure-ftpd: (?@24.79.92.194) [WARNING] Authentication failed for user [Administrator]
+# failJSON: { "time": "2004-11-05T18:54:02", "match": true , "host": "server202181210195.ixlink.net" }
 Nov 5 18:54:02 pure-ftpd: (?@server202181210195.ixlink.net) [WARNING] Authentication failed for user [Administrator] 

testcases/files/logs/roundcube-auth

@@ -1,2 +1,4 @@
+# failJSON: { "time": "2013-01-22T22:28:21", "match": true , "host": "192.0.43.10" }
 [22-Jan-2013 22:28:21 +0200]: FAILED login for user1 from 192.0.43.10
+# failJSON: { "time": "2005-05-26T07:12:40", "match": true , "host": "10.1.1.47" }
 May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47

testcases/files/logs/sasl

@@ -1,5 +1,7 @@
 #1 Example from postfix from dbts #507990
+# failJSON: { "time": "2004-12-02T22:24:22", "match": true , "host": "114.44.142.233" }
 Dec  2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDc3OTEwNTkyNTEyMzA2NDIuMTIyODI1MzA2MUBoZWw+
 #2 Example from postfix from dbts #573314
+# failJSON: { "time": "2005-03-10T13:33:30", "match": true , "host": "1.1.1.1" }
 Mar 10 13:33:30 gandalf postfix/smtpd[3937]: warning: HOSTNAME[1.1.1.1]: SASL LOGIN authentication failed: authentication failure
 

testcases/files/logs/sogo-auth

@@ -1,17 +1,31 @@
 # yoh: Kept original apache log lines as well, just in case they might come useful
 #      for (testing) multiline regular expressions which would further constraint
 #      SOGo log lines
+# failJSON: { "match": false }
 Mar 24 08:58:32 sogod [26818]: <0x0xb8537990[LDAPSource]> <NSException: 0xb87c3008> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=hack0r,ou=users,dc=mail,dc=example,dc=org"; }
+# failJSON: { "time": "2005-03-24T08:58:32", "match": true , "host": "173.194.44.31" }
 Mar 24 08:58:32 sogod [26818]: SOGoRootPage Login from '173.194.44.31' for user 'hack0r' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
+# failJSON: { "match": false }
 173.194.44.31 - - [24/Mar/2013:08:58:32 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/38 0.311 - - 2M
+# failJSON: { "match": false }
 Mar 24 08:58:40 sogod [26818]: <0x0xb8537990[LDAPSource]> <NSException: 0xb87bb8d8> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=kiddy,ou=users,dc=mail,dc=example,dc=org"; }
+# failJSON: { "time": "2005-03-24T08:58:40", "match": true , "host": "173.194.44.31" }
 Mar 24 08:58:40 sogod [26818]: SOGoRootPage Login from '173.194.44.31' for user 'kiddy' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
+# failJSON: { "match": false }
 173.194.44.31 - - [24/Mar/2013:08:58:40 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/37 0.007 - - 32K
+# failJSON: { "match": false }
 Mar 24 08:58:50 sogod [26818]: <0x0xb8537990[LDAPSource]> <NSException: 0xb87c27f8> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=plsBanMe,ou=users,dc=mail,dc=example,dc=org"; }
+# failJSON: { "time": "2005-03-24T08:58:50", "match": true , "host": "173.194.44.31" }
 Mar 24 08:58:50 sogod [26818]: SOGoRootPage Login from '173.194.44.31' for user 'plsBanMe' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
+# failJSON: { "match": false }
 173.194.44.31 - - [24/Mar/2013:08:58:50 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/40 0.008 - - 0
+# failJSON: { "match": false }
 Mar 24 08:58:59 sogod [26818]: <0x0xb8537990[LDAPSource]> <NSException: 0xb87be830> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=root,ou=users,dc=mail,dc=example,dc=org"; }
+# failJSON: { "time": "2005-03-24T08:58:59", "match": true , "host": "173.194.44.31" }
 Mar 24 08:58:59 sogod [26818]: SOGoRootPage Login from '173.194.44.31' for user 'root' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
+# failJSON: { "match": false }
 173.194.44.31 - - [24/Mar/2013:08:58:59 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/36 0.007 - - 0
+# failJSON: { "match": false }
 Mar 24 08:59:04 sogod [26818]: <0x0xb8537990[LDAPSource]> <NSException: 0xb87bc088> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=admin,ou=users,dc=mail,dc=example,dc=org"; }
+# failJSON: { "time": "2005-03-24T08:59:04", "match": true , "host": "173.194.44.31" }
 Mar 24 08:59:04 sogod [26818]: SOGoRootPage Login from '173.194.44.31' for user 'admin' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0

testcases/files/logs/sshd

@@ -1,51 +1,79 @@
 #1
+# failJSON: { "time": "2005-06-21T16:47:48", "match": true , "host": "192.030.0.6" }
 Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6
+# failJSON: { "time": "2005-05-29T20:56:52", "match": true , "host": "example.com" }
 May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from example.com
 
 #2
+# failJSON: { "time": "2005-02-25T14:34:10", "match": true , "host": "194.117.26.69" }
 Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2
+# failJSON: { "time": "2005-02-25T14:34:10", "match": true , "host": "194.117.26.70" }
 Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.70 port 12345
 
 #3
+# failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" }
 Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
+# failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" }
 Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
 
 #4
+# failJSON: { "time": "2005-07-20T14:42:11", "match": true , "host": "211.114.51.213" }
 Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213
 
 #5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
 # yoh: added ':' after [sshd] since the case without is not really common any more
+# failJSON: { "time": "2005-03-03T00:17:22", "match": true , "host": "211.188.220.49" }
 Mar  3 00:17:22 [sshd]: User root from 211.188.220.49 not allowed because not listed in AllowUsers
+# failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host": "example.com" }
 Feb 25 14:34:11 belka sshd[31607]: User root from example.com not allowed because not listed in AllowUsers
 
 #6 ew filter introduced thanks to report Guido Bozzetto <reportbug@G-B.it>
+# failJSON: { "time": "2004-11-11T23:33:27", "match": true , "host": "218.249.210.161" }
 Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161)
 
 #7 added exclamation mark to BREAK-IN
 #  Now should be a negative since we decided not to catch those
+# failJSON: { "match": false }
 Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT
+# failJSON: { "match": false }
 Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
 
 #8 DenyUsers https://github.com/fail2ban/fail2ban/issues/47
+# failJSON: { "time": "2005-04-16T22:01:15", "match": true , "host": "46.45.128.3" }
 Apr 16 22:01:15 al-ribat sshd[5154]: User root from 46.45.128.3 not allowed because listed in DenyUsers
 
 #9 OpenSolaris patch - pull https://github.com/fail2ban/fail2ban/pull/182
+# failJSON: { "time": "2005-03-29T05:59:23", "match": true , "host": "205.186.180.55" }
 Mar 29 05:59:23 dusky sshd[20878]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 205.186.180.55 port 42742 ssh2
+# failJSON: { "time": "2005-03-29T05:20:09", "match": true , "host": "205.186.180.30" }
 Mar 29 05:20:09 dusky sshd[19558]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.30 port 54520 ssh2
 
 #10 OSX syslog error
+# failJSON: { "time": "2005-04-29T17:16:20", "match": true , "host": "example.com" }
 Apr 29 17:16:20 Jamess-iMac.local sshd[62312]: error: PAM: authentication error for james from example.com via 192.168.1.201
+# failJSON: { "time": "2005-04-29T20:11:08", "match": true , "host": "205.186.180.35" }
 Apr 29 20:11:08 Jamess-iMac.local sshd[63814]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 205.186.180.35 port 42742 ssh2
+# failJSON: { "time": "2005-04-29T20:12:08", "match": true , "host": "205.186.180.22" }
 Apr 29 20:12:08 Jamess-iMac.local sshd[63814]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.22 port 54520 ssh2
+# failJSON: { "time": "2005-04-29T20:13:08", "match": true , "host": "205.186.180.42" }
 Apr 29 20:13:08 Jamess-iMac.local sshd[63814]: Failed keyboard-interactive for james from 205.186.180.42 port 54520 ssh2
+# failJSON: { "time": "2005-04-29T20:14:08", "match": true , "host": "205.186.180.44" }
 Apr 29 20:14:08 Jamess-iMac.local sshd[63814]: Failed keyboard-interactive for <invalid username> from 205.186.180.44 port 42742 ssh2
+# failJSON: { "time": "2005-04-30T01:42:12", "match": true , "host": "205.186.180.77" }
 Apr 30 01:42:12 Jamess-iMac.local sshd[2554]: Failed keyboard-interactive/pam for invalid user jamedds from 205.186.180.77 port 33723 ssh2
+# failJSON: { "time": "2005-04-29T12:53:38", "match": true , "host": "205.186.180.88" }
 Apr 29 12:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication failure for james from 205.186.180.88 via 192.168.1.201
+# failJSON: { "time": "2005-04-29T13:53:38", "match": true , "host": "205.186.180.99" }
 Apr 29 13:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication failure for james from 205.186.180.99 via 192.168.1.201
+# failJSON: { "time": "2005-04-29T15:53:38", "match": true , "host": "205.186.180.100" }
 Apr 29 15:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication error for james from 205.186.180.100 via 192.168.1.201
+# failJSON: { "time": "2005-04-29T16:53:38", "match": true , "host": "205.186.180.101" }
 Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201
+# failJSON: { "time": "2005-04-29T17:53:38", "match": true , "host": "205.186.180.102" }
 Apr 29 17:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.102
+# failJSON: { "time": "2005-04-29T18:53:38", "match": true , "host": "205.186.180.103" }
 Apr 29 18:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.103
 
 #11 https://github.com/fail2ban/fail2ban/issues/267  There might be no colon after [daemon]
+# failJSON: { "time": "2005-06-25T23:53:34", "match": true , "host": "1.2.3.4" }
 Jun 25 23:53:34 [sshd] User root from 1.2.3.4 not allowed because not listed in AllowUsers

testcases/files/logs/sshd-ddos

@@ -1,2 +1,3 @@
 # http://forums.powervps.com/showthread.php?t=1667
+# failJSON: { "time": "2005-06-07T01:10:56", "match": true , "host": "69.61.56.114" }
 Jun 7 01:10:56 host sshd[5937]: Did not receive identification string from 69.61.56.114

testcases/files/logs/vsftpd

@@ -1,7 +1,10 @@
 #1 PAM based
+# failJSON: { "time": "2004-10-11T01:06:47", "match": true , "host": "209.67.1.67" }
 Oct 11 01:06:47 ServerJV vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=209.67.1.67
+# failJSON: { "time": "2005-02-06T12:02:29", "match": true , "host": "64.168.103.1" }
 Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.168.103.1 user=user1
 
 #2 Internal
+# failJSON: { "time": "2005-01-19T12:20:33", "match": true , "host": "64.106.46.98" }
 Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.98"
 

testcases/files/logs/webmin-auth

@@ -1,7 +1,9 @@
 #Webmin authentication failures from /var/log/auth.log
 
 #1 User exists, bad password
+# failJSON: { "time": "2004-12-13T08:15:18", "match": true , "host": "89.2.49.230" }
 Dec 13 08:15:18 sb1 webmin[25875]: Invalid login as root from 89.2.49.230 
 
 #2 User does not exists
+# failJSON: { "time": "2004-12-12T23:14:19", "match": true , "host": "188.40.105.142" }
 Dec 12 23:14:19 sb1 webmin[22134]: Non-existent login as robert from 188.40.105.142 

testcases/files/logs/wuftpd

@@ -1,2 +1,3 @@
 # This login line is from syslog
+# failJSON: { "time": "2004-10-06T09:59:26", "match": true , "host": "202.108.145.173" }
 Oct  6 09:59:26 myserver wu-ftpd[18760]: failed login from hj-145-173-a8.bta.net.cn [202.108.145.173]

testcases/samplestestcase.py

@@ -0,0 +1,126 @@
+# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
+# vi: set ft=python sts=4 ts=4 sw=4 noet :
+
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+# Fail2Ban developers
+
+__copyright__ = "Copyright (c) 2013 Steven Hiscocks"
+__license__ = "GPL"
+
+import unittest, sys, os, fileinput, re, datetime, inspect
+
+if sys.version_info >= (2, 6):
+	import json
+else:
+	import simplejson as json
+	next = lambda x: x.next()
+
+from server.filter import Filter
+from client.filterreader import FilterReader
+
+TEST_FILES_DIR = os.path.join(os.path.dirname(__file__), "files")
+CONFIG_DIR = "config"
+
+class FilterSamplesRegex(unittest.TestCase):
+
+	def setUp(self):
+		"""Call before every test case."""
+		self.filter = Filter(None)
+		self.filter.setActive(True)
+
+	def tearDown(self):
+		"""Call after every test case."""
+
+	def testFiltersPresent(self):
+		"""Check to ensure some tests exist"""
+		self.assertTrue(
+			len([test for test in inspect.getmembers(self)
+				if test[0].startswith('testSampleRegexs')])
+			>= 10,
+			"Expected more FilterSampleRegexs tests")
+
+def testSampleRegexsFactory(name):
+	def testFilter(self):
+
+		# Check filter exists
+		filterConf = FilterReader(name, "jail", basedir=CONFIG_DIR)
+		filterConf.read()
+		filterConf.getOptions({})
+
+		for opt in filterConf.convert():
+			if opt[2] == "addfailregex":
+				self.filter.addFailRegex(opt[3])
+
+		if not self.filter.getFailRegex():
+			# No fail regexs set: likely just common file for includes.
+			return
+
+		# TODO: Remove exception handling once sample logs obtained for all
+		try:
+			self.assertTrue(
+				os.path.isfile(os.path.join(TEST_FILES_DIR, "logs", name)),
+				"No sample log file available for '%s' filter" % name)
+		except AssertionError:
+			print "I: No sample log file available for '%s' filter" % name
+			return
+
+		logFile = fileinput.FileInput(
+			os.path.join(TEST_FILES_DIR, "logs", name))
+
+		for line in logFile:
+			jsonREMatch = re.match("^# ?failJSON:(.+)$", line)
+			if jsonREMatch:
+				try:
+					faildata = json.loads(jsonREMatch.group(1))
+				except ValueError, e:
+					raise ValueError("%s: %s:%i" %
+						(e, logFile.filename(), logFile.filelineno()))
+				line = next(logFile)
+			elif line.startswith("#") or not line.strip():
+				continue
+			else:
+				faildata = {}
+
+			ret = self.filter.processLine(line, returnRawHost=True)
+			if not ret:
+				# Check line is flagged as none match
+				self.assertFalse(faildata.get('match', True),
+					 "Line not matched when should have: %s:%i %r" %
+					(logFile.filename(), logFile.filelineno(), line))
+			elif ret:
+				# Check line is flagged to match
+				self.assertTrue(faildata.get('match', False),
+					"Line matched when shouldn't have: %s:%i %r" %
+					(logFile.filename(), logFile.filelineno(), line))
+				self.assertEqual(len(ret), 1)
+				# Verify timestamp and host as expected
+				host, time = ret[0]
+				self.assertEqual(host, faildata.get("host", None))
+				self.assertEqual(
+					datetime.datetime.fromtimestamp(time),
+					datetime.datetime.strptime(
+						faildata.get("time", None), "%Y-%m-%dT%H:%M:%S"))
+
+	return testFilter
+
+for filter_ in os.listdir(os.path.join(CONFIG_DIR, "filter.d")):
+	filterName = filter_.rpartition(".")[0]
+	setattr(
+		FilterSamplesRegex,
+		"testSampleRegexs%s" % filterName.upper(),
+		testSampleRegexsFactory(filterName))