-
-
Notifications
You must be signed in to change notification settings - Fork 368
Regex
Jeff Johnson edited this page Sep 20, 2023
·
8 revisions
IPBan uses regular expressions extensively. There are typically done with an ipaddress group for blocking or allowing ip addresses.
The following groups must exist in the regex:
-
ipaddress
- an ip address or DNS name (if ip address parsing fails) -
ipaddress_exact
- in lieu ofipaddress
, this must be an ip address and no dns fallback will be used
Optional groups:
-
username
- the username that was attacked -
username_base64
- base64 encoded username, will be decoded -
timestamp
- the date/time of the attack. Local time is assumed unless the date/time has timezone info in it -
timestamp_utc
- the date/time of the attack. UTC is assumed unless the date/time has timezone info in it -
source
- the source of the attack, i.e. SMTP, SSH, RDP, etc. -
source_[name]
- source with underscore and then the name of the source, if this group matches that source will be used if no other source is found -
log
- the relevant part of the log that triggered ipban, i.e.failed password
Note that the source is usually included in the log file or event viewer entry in the config, so using source or source with underscore is only needed if multiple sources are being parsed from a single log file.
Please use https://regex101.com/ for testing out your regular expressions:
- Paste in your regex
- Paste in your log file snippet
- Make sure to select .NET/C# on the left hand side
- Change "gm" to "gmi" on the regex bar (global, multi-line, case insensitive)
More regex tutorials/info: https://www.regular-expressions.info/
IPBan (c) 2012-Present Digital Ruby, LLC - https://ipban.com