Merge pull request #4037 from kusaka-0107/fix/asterisk-conf-regex

filter.d/asterisk: fix regex to match "No matching endpoint found" with retry info (like `after X tries in Y ms`)
2025-07-20 15:17:17 +02:00 · 2025-07-20 15:17:17 +02:00 · 793d0c6555
parent 1c2ace2958 7bb86822d0
commit 793d0c6555
3 changed files with 5 additions and 1 deletions
--- a/2
+++ b/2
@ -37,6 +37,8 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
  - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760)
 * `filter.d/apache-noscript.conf` - consider new log-format with "AH02811: stderr from /..." (gh-3900)
 * `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778, gh-3900)
+* `filter.d/asterisk.conf` - fixed RE for "no matching endpoint" with retry info (like `after X tries in Y ms`) at end, 
+  loosening of end anchor (ignore any simple text tokens at end if no single quote found), gh-4037
 * `filter.d/exim.conf`:
  - several rules of mode `normal` moved to new mode `more`, because of too risky handling (gh-3940),
    thereby mode `aggressive` is not affected, because it fully includes mode `more` now;
--- a/config/filter.d/asterisk.conf
+++ b/config/filter.d/asterisk.conf
@ -27,7 +27,7 @@ failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong pas
            ^hacking attempt detected '<HOST>'$
            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
            ^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
-            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
+            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\b[^']*$

 # FreePBX (todo: make optional in v.0.10):
 #            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
--- a/fail2ban/tests/files/logs/asterisk
+++ b/fail2ban/tests/files/logs/asterisk
@ -108,6 +108,8 @@ Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in han
 # PJSip Errors
 # failJSON: { "time": "2016-05-06T07:08:09", "match": true, "host": "192.0.2.6" }
 [2016-05-06 07:08:09] NOTICE[17103] res_pjsip/pjsip_distributor.c: Request from '"test1" <sip:test1@2.3.4.5>' failed for '192.0.2.6:5678' (callid: deadbeef) - No matching endpoint found
+# failJSON: { "time": "2016-05-06T07:08:09", "match": true, "host": "192.0.2.7", "desc": "Test for No matching endpoint found with retry counts (pattern 1)" }
+[2016-05-06 07:08:09] NOTICE[17103] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"test2" <sip:test2@3.4.5.6>' failed for '192.0.2.7:5679' (callid: cafebabe) - No matching endpoint found after 5 tries in 2.500 ms

 # # FreePBX Warnings
 # #_dis_failJSON: { "time": "2016-05-06T07:08:09", "match": true, "host": "192.0.2.4" }