0

I'm trying to get this regex working in Fail2Ban:

SRC=(?<ADDR>.*) DST.*(?=DPT=5003)

In a regex tester it's working very fine. When testing in Fail2Ban, I get this error:

ERROR: Unable to compile regular expression 'SRC=(?\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?.*) DST.*(?=DPT=5003)'

This is a line from the log I want to crawl:

Jul 14 13:30:44 servername kernel: [  803.539059] [UFW BLOCK] IN=eth0 OUT= MAC=somemacadress SRC=somesourceip DST=somedestinationip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=18692 DF PROTO=TCP SPT=50852 DPT=5003 WINDOW=14600 RES=0x00 SYN URGP=0

Basically I want to block an IP if there is a block on DPT=5003

Can somebody help?

Thanks!

error401
  • 23
  • 1
  • 4

2 Answers2

0

The regex SRC=(?<ADDR>.*) DST.*(?=DPT=5003) uses PCRE named capture group syntax ?<ADDR> which fail2ban, being written in Python, doesn't understand and doesn't use. You need to use fail2ban own substitution <HOST> to capture IP or hostname. See the Developing Filters from fail2ban docs.

Update: <ADDR> substitution is also recognized, but isn't documented in the page I linked.

AlexD
  • 8,747
  • 2
  • 29
  • 38
0

Normally it'd be enough to fix the typo - either use (?:...) note :, or remove group parenthesis:

- SRC=(?<ADDR>.*) DST.*(?=DPT=5003)
+ SRC=<ADDR>.* DST.*(?=DPT=5003)

But this RE is vulnerable (no anchors, contains catch-all's etc)... For better failregex example see https://github.com/fail2ban/fail2ban/pull/2225#issuecomment-766087078

sebres
  • 1,100
  • 1
  • 5
  • 6