EXIM的Fail2Ban正则表达式(TCP / IP连接计数)
[英]Fail2Ban regex for EXIM (TCP/IP connection count)
问题描述
I am trying to create a regex condition for the exim filter of Fail2Ban. 
我正在尝试为Fail2Ban的exim筛选器创建一个正则表达式条件。 In my exim log, I have entries like this: 在我的进出口日志中,我有以下条目:
2014-11-27 17:09:05 SMTP connection from [42.117.255.244] (TCP/IP connection count = 1) 2014-11-27 17:09:05来自[42.117.255.244]的SMTP连接(TCP / IP连接计数= 1)
2014-11-27 17:09:14 SMTP connection from [118.68.249.18] (TCP/IP connection count = 2) 2014-11-27 17:09:14来自[118.68.249.18]的SMTP连接(TCP / IP连接计数= 2)
2014-11-27 17:09:15 SMTP connection from [113.188.85.220] (TCP/IP connection count = 3) 2014-11-27 17:09:15来自[113.188.85.220]的SMTP连接(TCP / IP连接计数= 3)
So I need a regex filter which analyzes the exim log, and if TCP/IP connection count > 3, then fail2ban will block that ip for the amount of time specified in fail2ban configuration. 因此,我需要一个用于分析exim日志的正则表达式过滤器,并且如果TCP / IP连接计数> 3,则fail2ban将在fail2ban配置中指定的时间内阻止该ip。
What I have tried so far is something like this: 到目前为止我尝试过的是这样的:
failregex = ^%(pid)s SMTP connection from \\S+ [](:\\d+)? failregex = ^%(pid)s来自\\ S + [](:\\ d +)的SMTP连接? (I=[\\S+]:\\d+ )?(TCP/IP connection count = "\\S+")\\s*$ (I = [\\ S +]:\\ d +)?(TCP / IP连接计数=“ \\ S +”)\\ s * $
but it fails ... I am not any good at regex so I need your help. 但是它失败了。。。我对正则表达式没有任何帮助,所以我需要您的帮助。
Thank you! 谢谢!
1 个解决方案
解决方案1
0 2014-11-27 15:34:04
[ \S]+?SMTP connection from \S+? \(TCP\/IP connection count = (?!\b1\b|\b2\b|\b3\b)\d+\)
Try this.See demo. 试试看。看演示。
http://regex101.com/r/hQ9xT1/10 http://regex101.com/r/hQ9xT1/10
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.