[Fail2ban-users] testing a multiline regex match -- why's this failing?

Wed, 07 Dec 2016 08:27:00 -0800 

I'm trying to create/test a multiline fail2ban match.

Here's the current test -- with the log lines and regex:

        fail2ban-regex -L 5 \
        "Dec  2 14:43:42 mail postfix/psint/smtpd[19539]: NOQUEUE: 
client=mail2.dytelworld.com[202.88.131.156]
        Dec  2 14:43:43 mail postfix/preq/smtpd[19580]: 3tYgdR3dQ1z2wJ2: 
client=localhost[127.0.0.1], orig_client=mail2.dytelworld.com[202.88.131.156]
        Dec  2 14:43:43 mail postfix/cleanup[19588]: 3tYgdR3dQ1z2wJ2: 
milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Virus: 
Porcupine.Phishing.20003.UNOFFICIAL; from=<h...@dytelworld.com> 
to=<mya...@mydomain.com> proto=ESMTP helo=<dytelworld.com>" \
        
"^.*NOQUEUE:.*client=\S+\[<HOST>\].*\n.*postfix/preq/smtpd.*orig_client=.*\n.*postfix/cleanup.*milter-reject:.*5.7.1
 Virus:.*$"

It's failing to hit:

        Results
        =======

        Failregex: 0 total

        Ignoreregex: 0 total

        Date template hits:
        |- [# of hits] date format
        |  [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: 
Year)?
        `-

        Lines: 1 lines, 0 ignored, 0 matched, 1 missed
        [processed in 0.00 sec]

        |- Missed line(s):
        |  Dec  2 14:43:42 mail postfix/psint/smtpd[19539]: NOQUEUE: 
client=mail2.dytelworld.com[202.88.131.156]
        Dec  2 14:43:43 mail postfix/preq/smtpd[19580]: 3tYgdR3dQ1z2wJ2: 
client=localhost[127.0.0.1], orig_client=mail2.dytelworld.com[202.88.131.156]
        Dec  2 14:43:43 mail postfix/cleanup[19588]: 3tYgdR3dQ1z2wJ2: 
milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Virus: 
Porcupine.Phishing.20003.UNOFFICIAL; from=<h...@dytelworld.com> 
to=<mya...@mydomain.com> proto=ESMTP helo=<dytelworld.com>

and I can't manage to see why.

Is my regex not viable? Or is my multiline test format wrong?

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to