Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BR]: ignoreregex are ignored if the line does not match "failregex" (making them more like "ignorematchingregex") #3694

Closed
1 of 3 tasks
aschor opened this issue Mar 11, 2024 · 1 comment
Closed
1 of 3 tasks

[BR]: ignoreregex are ignored if the line does not match "failregex" (making them more like "ignorematchingregex") #3694

aschor opened this issue Mar 11, 2024 · 1 comment
Labels
closed-as-incorrect documentation

Comments

@aschor
Copy link

aschor commented Mar 11, 2024

Environment:

  • Fail2Ban version : 1.1.0.1 (git master branch)
  • OS, including release name/version : ubuntu 14.04, but latest pypy3
  • Fail2Ban installed via OS/distribution mechanisms
  • You have not applied any additional foreign patches to the codebase
  • Some customizations were done to the configuration (provide details below is so)

The issue:

fail2ban-regex (and others?) MISS lines that match "ignoreregex", if that same line does not match "failregex" . It seems to me that ignore is just ignore, and that one should not have to match the lines to then ignore them. no ?

Steps to reproduce

fail2ban-regex "1234" "aaaa<HOST>.*" ".*1234.*"

Expected behavior

Lines: 1 lines, 1 ignored, 0 matched, 0 missed

Observed behavior

root@ubuntu14:/etc/fail2ban# fail2ban-regex "1234" "aaaa<HOST>.*"  ".*1234.*"

Running tests
=============

Use   failregex line : aaaa<HOST>.*
Use ignoreregex line : .*1234.*
Use      single line : 1234


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.04 sec]

|- Missed line(s):
|  1234
-

Any additional information

how come ".1234." would not match ? ...

well ... it does ..... if I modify first the "failregex" to also match ! :

root@ubuntu14:/etc/fail2ban# fail2ban-regex "1234" "<HOST>.*"  ".*1234.*"

Running tests
=============

Use   failregex line : <HOST>.*
Use ignoreregex line : .*1234.*
Use      single line : 1234


Results
=======

Failregex: 0 total

Ignoreregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] .*1234.*
-

Date template hits:

Lines: 1 lines, 1 ignored, 0 matched, 0 missed
[processed in 0.04 sec]

|- Ignored line(s):
|  1234
-

Relevant parts of /var/log/fail2ban.log file:

none
@aschor aschor added the bug label Mar 11, 2024
@sebres
Copy link
Contributor

sebres commented Mar 11, 2024
edited

The ignoreregex would be applied only if the message firstly matched failregex. Otherwise it has simply no sense.
If the lines are not matched failregex, they are considered as missed (no matter whether it'd match ignoreregex or not).

Also note ignoreregex is an atavism (and retained for backwards compatibility only) - normally the filter doesn't need it at all.
The messages can be always "ignored" by more precise failregex, or even if expected with a negative lookahead (or lookbehind).
For instance:

$ fail2ban-regex "test 192.0.2.1" "^\w+ <ADDR>"

Lines: 1 lines, 0 ignored, 1 matched, 0 missed

$ fail2ban-regex "test 192.0.2.1" "^\w+ <ADDR>" "^test"

Lines: 1 lines, 1 ignored, 0 matched, 0 missed

$ fail2ban-regex 'test 192.0.2.1' '^(?!test)\w+ <ADDR>'

Lines: 1 lines, 0 ignored, 0 matched, 1 missed

(Sure, the line is then considered as missed, but the goal is to exclude it from matched, and this goal is reached with single regex).

@sebres sebres closed this as not planned Won't fix, can't repro, duplicate, stale Mar 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed-as-incorrect documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebres @aschor