From 91c27d0600dfd9b7e6e7eba3726ca409377b2601 Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 4 Dec 2024 16:56:23 +0100 Subject: [PATCH] `filter.d/freeswitch.conf`: bypass some new info in prefix before [WARNING] (changed default `_pref_line`); closes gh-3143 --- ChangeLog | 2 ++ config/filter.d/freeswitch.conf | 4 ++-- fail2ban/tests/files/logs/freeswitch | 5 +++++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f32047d6..0e4790a3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,8 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition * `action.d/firewallcmd-ipset.conf`: - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760) * `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778) +* `filter.d/freeswitch.conf` - bypass some new info in prefix before [WARNING] (changed default `_pref_line`), + FreeSWITCH log line prefix has changed in newer versions (gh-3143) * `filter.d/postfix.conf` - consider CONNECT and other rejected commands as a valid `_pref` (gh-3800) * `filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (gh-3769) * `filter.d/roundcube-auth.conf` - improved RE better matching log format of roundcube version 1.4+ (gh-3816) diff --git a/config/filter.d/freeswitch.conf b/config/filter.d/freeswitch.conf index 0fdcf1f1..31d959fa 100644 --- a/config/filter.d/freeswitch.conf +++ b/config/filter.d/freeswitch.conf @@ -29,9 +29,9 @@ _daemon = freeswitch mode = extra # Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend -_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)? +_pref_line = ^%(__prefix_line)s[^\[]* -prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? .+$ +prefregex = ^%(_pref_line)s\s*\[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? .+$ cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from $ diff --git a/fail2ban/tests/files/logs/freeswitch b/fail2ban/tests/files/logs/freeswitch index 6a117523..6a70093b 100644 --- a/fail2ban/tests/files/logs/freeswitch +++ b/fail2ban/tests/files/logs/freeswitch @@ -24,3 +24,8 @@ 08-03 07:56:53.026292 [WARN] [SOFIA] [sofia_reg.c:4130] Can't find user [101@148.251.134.154] from 192.0.2.3 # failJSON: { "time": "2005-08-03T08:10:21", "match": true, "host": "192.0.2.4", "desc": "optional year in datepattern and bit different format (gh-2193)" } 08-03 08:10:21.026299 [WARN] [SOFIA] [sofia_reg.c:2248] SIP auth failure (INVITE) on sofia profile 'external' for [41801148436701961@148.251.134.154] from ip 192.0.2.4 + +# failJSON: { "time": "2021-10-29T21:04:58", "match": true, "host": "192.0.2.5", "desc": "percent in prefix (gh-3143)" } +2021-10-29 21:04:58.150982 00.00% [WARNING] sofia_reg.c:2889 Can't find user [201@::1] from 192.0.2.5 +# failJSON: { "time": "2021-10-29T21:05:58", "match": true, "host": "192.0.2.5", "desc": "syslog (and extra date), percent in prefix (gh-3143)" } +2021-10-29 21:05:58.894719 www.srv.tld freeswitch[123456]: 2021-10-29 14:13:24.894719 82.43% [WARNING] sofia_reg.c:2889 Can't find user [201@::1] from 192.0.2.5