正则表达式与测试字符串不匹配
Regular Expression does not match test string
为什么以下正则表达式与以下文本不匹配?
正则表达式:
\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\] ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
测试字符串:
[Sun Mar 15 22:28:19.733272 2018] [:error] [pid 11954] [client 188.191.122.27:62165] [client 188.191.122.27] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 4 at TX:anomaly_score. [file ".../modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "63.60.128.135"] [uri "/phpmyadmin/phpmyadmin/index.php"] [unique_id "W0uuY3C8AA4EAA5OC7wBAAAH"]
这是 fail2ban 的预定义规则和地址已更改的随机 apache 日志条目。
一开始以为是客户端登录了两次,所以改了客户端行:
(\[client <HOST>(:\d{1,5})?\])+
但这似乎也没有用。
为了弄清楚事情:
Regular expressions (failregex, ignoreregex) assume that the date/time has been removed from the log line (this is just how fail2ban works internally ATM).
If the format is like „<date...> error 1.2.3.4 is evil“ then you need to match the < at the start so regex should be similar to „^<> <HOST> is evil$„ using <HOST> where the IP/domain name appears in the log line.
(取自 fail2ban 文档:https://fail2ban.readthedocs.io/en/latest/filters.html)(我将此写为代码,因为 Whosebug 似乎无法在引号中显示特定字符。)
我或多或少是正则表达式的新手,所以感谢您的帮助。
你很接近。当您为多个客户端添加重复组时,您没有包含分隔它们的 space。
\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])?( \[client <HOST>(:\d{1,5})?\])+ ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
为什么以下正则表达式与以下文本不匹配?
正则表达式:
\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\] ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
测试字符串:
[Sun Mar 15 22:28:19.733272 2018] [:error] [pid 11954] [client 188.191.122.27:62165] [client 188.191.122.27] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 4 at TX:anomaly_score. [file ".../modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "63.60.128.135"] [uri "/phpmyadmin/phpmyadmin/index.php"] [unique_id "W0uuY3C8AA4EAA5OC7wBAAAH"]
这是 fail2ban 的预定义规则和地址已更改的随机 apache 日志条目。
一开始以为是客户端登录了两次,所以改了客户端行:
(\[client <HOST>(:\d{1,5})?\])+
但这似乎也没有用。
为了弄清楚事情:
Regular expressions (failregex, ignoreregex) assume that the date/time has been removed from the log line (this is just how fail2ban works internally ATM).
If the format is like „<date...> error 1.2.3.4 is evil“ then you need to match the < at the start so regex should be similar to „^<> <HOST> is evil$„ using <HOST> where the IP/domain name appears in the log line.
(取自 fail2ban 文档:https://fail2ban.readthedocs.io/en/latest/filters.html)(我将此写为代码,因为 Whosebug 似乎无法在引号中显示特定字符。)
我或多或少是正则表达式的新手,所以感谢您的帮助。
你很接近。当您为多个客户端添加重复组时,您没有包含分隔它们的 space。
\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])?( \[client <HOST>(:\d{1,5})?\])+ ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d