-1

I needed some help to create a regular expression for failregex to find and ban the source ip (ex. SRC=192.168.0.1 and ban the IP 192.168.0.1) from this log:

[ATT] Suspect: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.0.1 DST=192.168.0.100 LEN=37 TOS=0x00 PREC=0x00 TTL=13 ID=56037 PROTO=TCP SPT=21 DPT=35 LEN=60

Thanks in advance

Kiwi
  • 33
  • 2
  • 6

1 Answers1

2

Assuming that the [ATT] Suspect: part indicates that you want to match this entry:

^\[ATT\] Suspect: .*SRC=<HOST>
mgorven
  • 30,615
  • 7
  • 79
  • 122