I'm trying to get this regex working in Fail2Ban:
SRC=(?<ADDR>.*) DST.*(?=DPT=5003)
In a regex tester it's working very fine. When testing in Fail2Ban, I get this error:
ERROR: Unable to compile regular expression 'SRC=(?\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?.*) DST.*(?=DPT=5003)'
This is a line from the log I want to crawl:
Jul 14 13:30:44 servername kernel: [ 803.539059] [UFW BLOCK] IN=eth0 OUT= MAC=somemacadress SRC=somesourceip DST=somedestinationip LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=18692 DF PROTO=TCP SPT=50852 DPT=5003 WINDOW=14600 RES=0x00 SYN URGP=0
Basically I want to block an IP if there is a block on DPT=5003
Can somebody help?
Thanks!