From 2686811593a57bab72f691a5c1c93ffb877d4395 Mon Sep 17 00:00:00 2001
From: j-marz <john@terabyteit.com.au>
Date: Sun, 28 Mar 2021 21:19:10 +1100
Subject: [PATCH 1/4] Updated zoneminder filter

Support new log format, ERR instead of WAR. Add detection of non-existent user login attempts
---
 config/filter.d/zoneminder.conf      | 16 +++++++++++-----
 fail2ban/tests/files/logs/zoneminder |  6 ++++++
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf
index cc82755a..1af97c7d 100644
--- a/config/filter.d/zoneminder.conf
+++ b/config/filter.d/zoneminder.conf
@@ -5,17 +5,23 @@ before = apache-common.conf
 
 [Definition]
 
-# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php
-#
-#
+# patterns:
+	# [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/
+	# [Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/
+	# [Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/
+
 # Option:  failregex
-# Notes.:  regex to match the password failure messages in the logfile.
+# Notes.:  regex to match the login failure and non-existent user error messages in the logfile.
 
 failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
+			^%(_apache_error_client)s ERR \[Login denied for user "[^"]*"\]
+			^%(_apache_error_client)s ERR \[Could not retrieve user \w* details\]
 
 ignoreregex =
 
 # Notes:
-#	Tested on Zoneminder 1.29.0
+#	Tested on Zoneminder 1.29 and 1.35.21
+#
+#	Zoneminer versions > 1.3x use "ERR" and < 1.3x use "WAR" level logs, so i've kept both for compatibility reasons
 #
 # Author: John Marzella
diff --git a/fail2ban/tests/files/logs/zoneminder b/fail2ban/tests/files/logs/zoneminder
index abd49869..f4b6bd3e 100644
--- a/fail2ban/tests/files/logs/zoneminder
+++ b/fail2ban/tests/files/logs/zoneminder
@@ -1,2 +1,8 @@
 # failJSON: { "time": "2016-03-28T16:50:49", "match": true , "host": "10.1.1.1" }
 [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/
+
+# failJSON: { "time": "2021-03-28T16:53:00", "match": true , "host": "10.1.1.1" }
+[Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user username1 details], referer: https://zm/zm/?view=logout
+
+# failJSON: { "time": "2021-03-28T16:59:14", "match": true , "host": "10.1.1.1" }
+[Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "username1"], referer: https://zm/zm/?

From 5d8f5004718d38146c6821f37eaeb3c7b0415d9d Mon Sep 17 00:00:00 2001
From: j-marz <john@terabyteit.com.au>
Date: Mon, 29 Mar 2021 08:36:53 +1100
Subject: [PATCH 2/4] updated formatting to pass tests

---
 config/filter.d/zoneminder.conf | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf
index 1af97c7d..7da40968 100644
--- a/config/filter.d/zoneminder.conf
+++ b/config/filter.d/zoneminder.conf
@@ -5,11 +5,10 @@ before = apache-common.conf
 
 [Definition]
 
-# patterns:
-	# [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/
-	# [Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/
-	# [Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/
-
+# patterns: [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/
+# 			[Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/
+# 			[Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/
+#
 # Option:  failregex
 # Notes.:  regex to match the login failure and non-existent user error messages in the logfile.
 

From 2367ad115c1d20daaca886ebe4db81edf06df577 Mon Sep 17 00:00:00 2001
From: j-marz <john@terabyteit.com.au>
Date: Thu, 20 May 2021 09:15:45 +1000
Subject: [PATCH 3/4] fixed typo in comment

---
 config/filter.d/zoneminder.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf
index 7da40968..b3c0be72 100644
--- a/config/filter.d/zoneminder.conf
+++ b/config/filter.d/zoneminder.conf
@@ -21,6 +21,6 @@ ignoreregex =
 # Notes:
 #	Tested on Zoneminder 1.29 and 1.35.21
 #
-#	Zoneminer versions > 1.3x use "ERR" and < 1.3x use "WAR" level logs, so i've kept both for compatibility reasons
+#	Zoneminder versions > 1.3x use "ERR" and < 1.3x use "WAR" level logs, so i've kept both for compatibility reasons
 #
 # Author: John Marzella

From ec4e0dd65b1f2483a3e2413a61442eb544ae8c16 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Fri, 21 May 2021 13:00:24 +0200
Subject: [PATCH 4/4] padding with space, prefregex, regex review (simplifying,
 capture user name, consider possible space char in user name)

---
 config/filter.d/zoneminder.conf | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf
index b3c0be72..8e8ed432 100644
--- a/config/filter.d/zoneminder.conf
+++ b/config/filter.d/zoneminder.conf
@@ -6,15 +6,16 @@ before = apache-common.conf
 [Definition]
 
 # patterns: [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/
-# 			[Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/
-# 			[Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/
+#           [Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/
+#           [Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/
 #
 # Option:  failregex
 # Notes.:  regex to match the login failure and non-existent user error messages in the logfile.
 
-failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
-			^%(_apache_error_client)s ERR \[Login denied for user "[^"]*"\]
-			^%(_apache_error_client)s ERR \[Could not retrieve user \w* details\]
+prefregex = ^%(_apache_error_client)s (?:ERR|WAR) <F-CONTENT>\[(?:Login denied|Could not retrieve).*</F-CONTENT>$
+
+failregex = ^\[Login denied for user "<F-USER>[^"]*</F-USER>"\]
+            ^\[Could not retrieve user <F-USER>\S*</F-USER>
 
 ignoreregex =