You are not logged in.
- Topics: Active | Unanswered
#1 2018-11-21 15:26:42
- Akronos
- Member
- Registered: 2012-09-16
- Posts: 7
[Fail2Ban][Regex] Apache w00tw00t regex not matching
Hello,
I'm testing all my F2B filters and I'm experiencing a weird issue where it's not matching logs for w00tw00t filters.
Here is an example of line I try to match:
123.123.123.123 - - [01/Jan/2018:23:59:59 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 924Here is the w00tw00t filter configuration I have:
# [INCLUDES]
# Retrieve the _apache_error_client pattern for our failregex expression
# before = apache-common.conf
[Definition]
# failregex = ^%(_apache_error_client)s .*w00tw00t
failregex = ^<HOST> - -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".*
ignoreregex =I'm using a tmp log file with 2 lines only (1 should match, 1 not). But the result of fail2ban-regex is:
Running tests
=============
Use failregex filter file : apache-w00tw00t, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : ./w00tw00t
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 2 lines, 0 ignored, 0 matched, 2 missed
[processed in 0.02 sec]I Googled this, tried most of the suggestion I could find, but nothing is working. Also tried the python reg-ex tester from the doc but when it does match my lines, the fail2ban-regex command still says all lines are missed...
The weird thing is "Failregex: 0 total", while, if I pass the failregex directly to the command fail2ban-regex it works correctly...
Any help will be appreciated 
Thanks.
Offline