Updated Developing Regex in Fail2ban (markdown)

Developing-Regex-in-Fail2ban.md

@@ -20,7 +20,7 @@ ACTUAL EXAMPLES!
 ================
 The actual examples were obtained during a DDOS against my Bind9 master nameserver. And a regex is needed ... fast.
 
-Actual log file is (after privacy redactions):
+Actual log (`/tmp/captured.log`) file is (after privacy redactions) shown below:
 ```log
 19-Sep-2020 11:47:00.116 query-errors: info: client @0x7f0410000e40 123.123.123.123#80 (sl): view red: query failed (REFUSED) for sl/IN/ANY at query.c:5445
 19-Sep-2020 11:47:01.120 query-errors: info: client @0x7f0410000e40 123.123.123.123#80 (sl): view red: query failed (REFUSED) for sl/IN/ANY at query.c:5445
@@ -31,7 +31,7 @@ Actual log file is (after privacy redactions):
 ```
 Note: A little history, the sl TLD went off-line and IoTs were spraying invalid DNS-QUERY records with falsified source IP address toward selected DNS servers, resulting in a mild DNS amplification attack via DNS-QUERY-REFUSED error message all being sent to the target victim.
 
-Sadly, latest Bind9 daemon has no configurable field to suppress these false DNS-QUERY-REFUSED acknowledgement messages (ISC Bind team claim it is not kosher to do this, but I still have a problem and intend fail2ban to deal with it).
+Sadly, latest Bind9 daemon has no configurable field to suppress these false DNS-QUERY-REFUSED acknowledgement messages (ISC Bind team claim it is not kosher to do this, but I still have this problem and have intend `fail2ban` to deal with this).
 
 FIRST PATTERN, FIRST
 ====================
@@ -78,7 +78,12 @@ and note the value of `'content:'`. This content comes after the `datepattern`;
 
 Note: Please note in 'content': value that there is an extra space at the beginning of that value so be careful with the ‘`^`‘ and make sure it starts with ‘`^ `‘ (note a space after caret symbol.)
 
-But, with regard to that extra space char, do what I do; incorporate that space into your `prefregex`. Your customized `prefregex` will take away that beginning but lone space character from all your future (and current) `failregex` filter patterns. This makes for an easier-to-read `failpregex` pattern(s).
+NEW CONFIG FILE
+===============
+From there on, we're creating a local-variant of `named-refused.conf` file; all new and modified
+settings are in the new `named-refused.local` file.
+
+With regard to that extra space char, do what I do; incorporate that space into your `prefregex`. Your customized `prefregex` will take away that beginning but lone space character from all your future (and current) `failregex` filter patterns. This makes for an easier-to-read `failpregex` pattern(s).
 ```ini
 prefregex = ^ <F-CONTENT>.+</F-CONTENT>$
 ```
@@ -98,7 +103,7 @@ Focus on the `failregex` portion of the filter config file.  They're under `[Def
 
 The catch of using `failregex` is that there MUST be at least one regex group match such as '`<HOST>`', '`<ADDR>`', or '`<F-USER>`'.
 
-So, do what I do… Make a generic failregex` in your filter confing file like this:
+So, do what I do… Make a generic `failregex` in your new local filter config file, like this:
 ```ini
 failregex = query.+<HOST>
 ```
@@ -228,7 +233,7 @@ _filespec = [0-9a-zA-Z\._\-]{1,254}
 _codeloc = %(_filespec)s:\d{1,6}
 ```
 
-NOTE: Guess? You are running fail2ban-regex between each modification? You still getting that non-zero '`Failregex: 6 total match`' under Results?
+NOTE: You are running `fail2ban-regex` between each modification? You still getting that non-zero '`Failregex: 6 total match`' under Results?
 ```console
 Failregex: 6 total
 |-  #) [# of hits] regular expression