why did you wrote {9} instead of {3} as it was in the original post?
a hexadecimal value can be: [0-9a-fA-F], so an ip can be:




_____________________________________
If someone helps you, or you approve of what's posted, click the "Add to Reputation" button, on the left of the post.
Happy with solution ... mark as SOLVED
(located in the "thread tools")

with this failregex :
failregex = WARNING: ClusteredCache - Internal error receiving remote cache packet [(<HOST> ) -\ (\.[0-9a-fA-F][0-9a-fA-F]){9})]: java.io.EOFException
it gives me this error :
2012-06-18 15:30:17,615 fail2ban.filter : ERROR Unable to compile regular expression 'WARNING: ClusteredCache - Internal error receiving remote cache packet [((?:::f{4,6}?(?P<host>[\w\-.^_]+) ) -\ (\.[0-9a-fA-F][0-9a-fA-F]){9})]: java.io.EOFException'

and with this one :
failregex = WARNING: ClusteredCache - Internal error receiving remote cache packet [<HOST> - (\.[0-9a-fA-F][0-9a-fA-F]){9})]: java.io.EOFException
gives me this:
2012-06-18 15:32:43,808 fail2ban.filter : ERROR Unable to compile regular expression 'WARNING: ClusteredCache - Internal error receiving remote cache packet [(?:::f{4,6}?(?P<host>[\w\-.^_]+) - (\.[0-9a-fA-F][0-9a-fA-F]){9})]: java.io.EOFException'

Your question keeps changing!!!

To match a string of hex:

[0-9a-fA-F]*

but you have spaces before each pair, so:
or maybe:
the second one allows for an optional space at the end

He does not want to match the IP---only the hex string AFTER the IP

that is not an IP, that is probably a mac address. you can use probably the following regex:

_____________________________________
If someone helps you, or you approve of what's posted, click the "Add to Reputation" button, on the left of the post.
Happy with solution ... mark as SOLVED
(located in the "thread tools")

failregex = WARNING: ClusteredCache - Internal error receiving remote cache packet [<HOST> - ([ 0-9a-fA-F]+)]: java.io.EOFException

gives this error :
2012-06-18 15:43:16,810 fail2ban.filter : ERROR Unable to compile regular expression 'WARNING: ClusteredCache - Internal error receiving remote cache packet [(?:::f{4,6}?(?P<host>[\w\-.^_]+) - ([ 0-9a-fA-F]+)]: java.io.EOFException'

so I will block the ip's manually for now !
and will change things, until I get some thing !

thank you all for all the helps !

will post my results later !!!!

papampi;

first, go back to a question I asked earlier: Does this program accept extended regex syntax?

second, the regex your just tried will match at least one instance of a space followed by ONE hex character. You have a sequence of space followed by TWO hex characters. See the code that I suggested.

But first, we have to know what kind of regex your program will accept......

dont know what do you mean by extended regex
here is the fail2ban manual : http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

yes, and it told: python style regexp: http://docs.python.org/library/re.html

OK---forget "extended" regexes---use the Python rules. (I tried to see if they look like extended regex rules, but my brain has exceeded its daily quota..... )

what I found: you can use this page to test python regexps. You have [ and ] in the original text, you need to escape them in a regexp, so you need to use: \[ and \]. The regexp generated from <HOST> does not match ip addresses like 1.2.3.4 (but hostnames, like a.b.c.d).
this looks now ok, but I'm not really sure:

_____________________________________
If someone helps you, or you approve of what's posted, click the "Add to Reputation" button, on the left of the post.
Happy with solution ... mark as SOLVED
(located in the "thread tools")

Yes it does, it handles both IP addresses and FQDNs and you can verify that by running fail2ban-regex on some log lines.


Either
or the shorter
will do.

1 members found this post helpful.

Thanks man !
It works !!!!

so it means we dont need to insert the full line from log file in failregex ?
and some small part of log where the ip is located will do the job ?