diff --git a/Developing-Regex-in-Fail2ban.md b/Developing-Regex-in-Fail2ban.md index 6831bb8..3bf7253 100644 --- a/Developing-Regex-in-Fail2ban.md +++ b/Developing-Regex-in-Fail2ban.md @@ -53,8 +53,12 @@ Fail Pattern ------------ After ensuring a success `datepattern` (and optionally the `prefregex`) match, set your `failregex` to a generic pattern of `.+ `. -Then watch for `Results` tabulation in your output: +Watch for two things: `Matched FailRegex:` and parts of `Results:` table. ```console +T: Matched FailRegex('query.+(?:(?:::f{4,6}:)?(?P(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P[\\w\\-.^_]*\\w))') + +... + Results ======= @@ -246,17 +250,19 @@ So, do what I do… Make a generic `failregex` in your new local filter config f ```ini failregex = query.+ ``` -WARNING: Don't make my example into your permanent change because `.+` is evil. Do no evil ... but not during this troubleshooting and development of regex. Just don't forget to have finally replaced all `.+`, `.*` with something staticly-pattern. And also don't forget to ensure that `^` is at the beginning; also to add that `$` at the end, but not now for `$`, as we're developing a working matching pattern here. +WARNING: Don't make my example into your permanent change because `.+` is evil. Do no evil ... but not during this troubleshooting and development of regex. Just don't forget to have finally replaced all `.+`, `.*` with something staticly-pattern. -Notice that there is no '`$`' to catch end-of-line match condition? We’ll do those `$` lastly because we’re trying to just match … ANYTHING! +WARNING: And also don't forget to ensure that `^` is at the beginning; also to add that `$` at the end, but not now for `$`, as we're developing a working matching pattern here. -Re-run fail2ban-regex with '`-l HEAVYDEBUG`' and notice the '`T: Matched FailRegex part`': +Notice that there is no '`$`' to catch end-of-line match condition? We’ll do those `$` lastly as we’re trying to just match … ANYTHING! + +Now, re-run the `fail2ban-regex` with '`-l HEAVYDEBUG`' and look for the '`T: Matched FailRegex part`': ```console T: Matched FailRegex('query.+(?:(?:::f{4,6}:)?(?P(?:\\d{1,3}\\.){3}\\d{1,3})|\\[?(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\\]?|(?P[\\w\\-.^_]*\\w))') ``` Now I am matching SOMETHING! -Notice the convoluted patterns after '`query.+`'? These long patterns represent '``' part. We can safely ignore that for now. +Notice the convoluted patterns after '`query.+`'? These long patterns represent the expanded part of '``' macro. We can safely ignore that for now. Most importantly, I am MATCHING something that starts with '`^query.+`'! Yippee! @@ -264,7 +270,7 @@ That evil `.+` is only temporary; we'll get rid of that at the end. GYRATING TOWARD FULL MATCH ========================== -With a working matching pattern (albeit a failed but overly-broad pattern), we can then work toward a full-blown but concise (yet flexible) pattern. +With a working matching pattern (albeit a failed but overly-broad pattern), we can then work toward a the finished `failregex`; a full-blown but concise (yet flexible) pattern. Let’s start by adding more static pattern.