From f85fb45b29768f687546ba25f805977cf00b6e43 Mon Sep 17 00:00:00 2001
From: Ludovic Gasc <gmludo@gmail.com>
Date: Tue, 7 Jun 2016 11:40:35 +0200
Subject: [PATCH] Asterisk pjsip (#1456)

* Improve PJSIP log support for Asterisk 13+

* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+

* Change pjsip regexp with sebres observation, thanks to @nturcksin
---
 ChangeLog                          | 1 +
 config/filter.d/asterisk.conf      | 1 +
 fail2ban/tests/files/logs/asterisk | 4 ++++
 3 files changed, 6 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 76719f16..21b8adfc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@ ver. 0.9.5 (2016/XX/XXX) - wanna-be-released
        added new parameter `__date_ambit`
    * gentoo-initd fixed --pidfile bug: `--pidfile` is option of start-stop-daemon, 
      not argument of fail2ban (see gh-1434)
+   * filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+
 
 - New Features:
    * New Actions:
diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf
index 01063efa..f6ccdd4f 100644
--- a/config/filter.d/asterisk.conf
+++ b/config/filter.d/asterisk.conf
@@ -27,6 +27,7 @@ failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed fo
             ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
             ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
             ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
+            ^%(__prefix_line)s%(log_prefix)s Request from '[^']*' failed for '<HOST>(?::\d+)?' \(callid: \w*\) - No matching endpoint found$
 
 ignoreregex =
 
diff --git a/fail2ban/tests/files/logs/asterisk b/fail2ban/tests/files/logs/asterisk
index aa32a290..3f49beec 100644
--- a/fail2ban/tests/files/logs/asterisk
+++ b/fail2ban/tests/files/logs/asterisk
@@ -67,3 +67,7 @@ Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in han
 [2016-01-28 10:34:31] NOTICE[3477][C-000003c3] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0+441772285407' rejected because extension not found in context 'default'.
 # failJSON: { "time": "2016-01-28T10:34:33", "match": true , "host": "1.2.3.4" }
 [2016-01-28 10:34:33] NOTICE[3477][C-000003c3] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '' rejected because extension not found in context 'my-context'.
+
+# Failed authentication with pjsip on Asterisk 13+
+# failJSON: { "time": "2016-05-23T10:18:16", "match": true , "host": "1.2.3.4" }
+[2016-05-23 10:18:16] NOTICE[19388] res_pjsip/pjsip_distributor.c: Request from '"1000" <sip:1000@10.0.0.1>' failed for '1.2.3.4:48336' (callid: 276666022) - No matching endpoint found
\ No newline at end of file