Merge pull request #504 from kwirk/nsd

ENH: Add nsd filter and amend DateEpoch to match date format
2013-12-19 01:30:14 -08:00 · 2013-12-19 01:30:14 -08:00 · 56f54dc2eb
parent 42a51930dd d22716ab63
commit 56f54dc2eb
5 changed files with 34 additions and 1 deletions
--- a/2
+++ b/2
@ -40,6 +40,8 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better

  Daniel Black
   * filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
+  Bas van den Dikkenberg & Steven Hiscocks
+   * filter.d/nsd.conf -- also amended Unix date template to match nsd format

 - Enhancements:
  - loglines now also report "[PID]" after the name portion
--- a/1
+++ b/1
@ -16,6 +16,7 @@ Andrey G. Grozin
 Andy Fragen
 Arturo 'Buanzo' Busleiman
 Axel Thimm
+Bas van den Dikkenberg
 Beau Raines
 Bill Heaton
 Carlos Alberto Lopez Perez
--- a/config/filter.d/nsd.conf
+++ b/config/filter.d/nsd.conf
@ -0,0 +1,26 @@
+# Fail2Ban configuration file
+#
+# Author: Bas van den Dikkenberg
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = nsd
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+
+failregex =  ^\[\]%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
+              ^\[\]%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
--- a/server/datetemplate.py
+++ b/server/datetemplate.py
@ -78,7 +78,7 @@ class DateEpoch(DateTemplate):
 	
 	def __init__(self):
 		DateTemplate.__init__(self)
-		self.setRegex("(?:^|(?P<selinux>(?<=audit\()))\d{10}(?:\.\d{3,6})?(?(selinux)(?=:\d+\)))")
+		self.setRegex("(?:^|(?P<square>(?<=^\[))|(?P<selinux>(?<=audit\()))\d{10}(?:\.\d{3,6})?(?(selinux)(?=:\d+\))(?(square)(?=\])))")
 	
 	def getDate(self, line):
 		date = None
--- a/testcases/files/logs/nsd
+++ b/testcases/files/logs/nsd
@ -0,0 +1,4 @@
+# failJSON: { "time": "2013-12-17T14:58:14", "match": true , "host": "192.0.2.105" }
+[1387288694] nsd[7745]: info: ratelimit block example.com. type any target 192.0.2.0/24 query 192.0.2.105 TYPE255
+# failJSON: { "time": "2013-12-18T07:42:15", "match": true , "host": "192.0.2.115" }
+[1387348935] nsd[23600]: info: axfr for zone domain.nl. from client 192.0.2.115 refused, no acl matches.