Following are some logs from ASA, I need to capture following group for IP address, seq number (3327 in this case) and user name (abcd_user.name).
I have tried following regex but the username is capturing with brackets.
https://regex101.com/r/NbyYyp/1
Feb 10 13:22:55 90.23.222.10 : %ASA-6-302020: Built inbound ICMP connection for faddr 10.34.27.20/0 gaddr 10.23.24.2/33327 laddr 10.23.24.2/33327
Feb 10 13:22:51 90.27.29.8 : %ASA-6-302020: Built inbound ICMP connection for faddr 90.23.40.16/1(LOCAL\abcd_user.name) gaddr 172.20.220.27/0 laddr 172.20.20.7/0 (abcd_user.name)
Feb 10 13:22:55 90.22.22.15 : %ASA-6-302020: Built inbound ICMP connection for faddr 10.34.27.2/0 gaddr 10.34.21.29/33327 laddr 10.34.21.29/33327
Your help is much appreciated.
You may use
302020: Built inbound.*faddr\s+([^\/]*)\/\d+(.*(gaddr\s+([^\/]+))\/(\d+) laddr([^\/]+)\/\d+)(?:\s*\(([^()]*)\))?
See the regex demo
The last (.*) capturing group just captured all text to the end of the line. I replaced it with (?:\s*\(([^()]*)\))?, an optional non-capturing group that matches 1 or 0 occurrences of
\s* - 0+ whitespaces
\( - a ( char
([^()]*) - Capturing group: any 0+ chars other than ( and )
\) - a ) char.
Related
I'm trying to create a deployment on Kubernetes but getting this error;
http.paths[0].backend.service.port.name: Invalid value: \"<deployment-name>-service\": must be no more than 15 characters"
I don't have any chance to interfere to the port name directly, but deployment name. I have to pass long deployment name, but it's not possible right now. How can I solve this issue?
You can not disable or increase port name length in kubernetes . As #Sascha Doerdelmann mentioned, it's a k8s limitation that port names are 15 characters.
According to RFC 6335.
Valid service names are hereby normatively defined as follows:
MUST be at least 1 character and no more than 15 characters long.
MUST contain only US-ASCII [ANSI.X3.4-1986] letters 'A' - 'Z' and
'a' - 'z', digits '0' - '9', and hyphens ('-', ASCII 0x2D or
decimal 45).
MUST contain at least one letter ('A' - 'Z' or 'a' - 'z').
MUST NOT begin or end with a hyphen.
hyphens MUST NOT be adjacent to other hyphens.
you can truncate the value and set it to the limit that is allowed
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: {{ include "helm-chart.fullname" . | trunc 7 }}-service
helm-fuction-trunc
I can't manage to find the error preventing fail2ban to match these lines:
Apr 19 20:17:12 localhost sm-mta[201892]: ruleset=check_relay, arg1=[12.345.7.789], arg2=12.345.7.789, relay=host.hostname.com [12.345.7.789] (may be forged), reject=421 4.3.2 Connection rate limit exceeded.
Apr 19 20:17:53 localhost sm-mta[201902]: 13JIHpTD201902: [12.345.7.789] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v4
Here is the associated fail2ban configuration:
[Definition]
_daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
cmnfailre = ^ruleset=check_relay, arg1=(?P<dom>\S+), arg2=(?:IPv6:<IP6>|<IP4>), relay=((?P=dom) )?\[(\d+\.){3}\d+\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|S[PA])(?:-\w+)?$
I am testing with fail2ban-regex test-mail.log /etc/fail2ban/filter.d/sendmail-reject.conf
Resulting in:
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [5] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 5 lines, 0 ignored, 0 matched, 5 missed
[processed in 0.00 sec]
Any idea ?
Thanks !
The second message (did not issue MAIL/EXPN/VRFY/ETRN) can be found if you would set mode aggressive by sendmail-reject jail (after this fix, e. g. v.0.10.6 and 0.11.2).
There was indeed no exact rule for the first message (rate limit exceeded) matching this kind of message exactly, due to different handling on the arguments, but...
I fixed this now in f0214b3 on github.
Unless not released you can extend it by yourselves either in filter (copy & paste from github filter) or directly in jail:
[sendmail-reject]
enabled = true
mode = aggressive
failregex = %(known/failregex)s
^ruleset=check_relay(?:, arg\d+=\S*)*, relay=(\S+ )?\[?<ADDR>\]?(?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$"
^(?:\S+ )?\[<ADDR>\](?: \(may be forged\))? did not issue \S+ during connection
I'm trying to manipulate a string and the first step is to truncate the variable after a combination, so first I create the var:
SERVER_CONFIGURATION_FILE=$(curl some remove url)
And now my $SERVER_CONFIGURATION_FILE is something like that
client
dev tun
proto udp
remote 192.145.127.237 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----
</tls-auth>
From here I want to delete all after <ca> tag
I tried various way, but every time the result is the same, I don't know what I do wrong
The last I tried is
echo "$SERVER_CONFIGURATION_FILE" | sed 's/<c[.\s\S\d\D\w\W]*//'
but remove only <ca and nothing more and the funny is that under regex101 this regex works
I feel pretty stupid but I can't find what I miss!
Any idea?
Please note that I'm under sh with busybox 1.30
Is this what you're trying to do?
$ awk '/<ca>/{exit} 1' file
client
dev tun
proto udp
remote 192.145.127.237 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
if your text is in a variable or coming from a pipe otherwise then just call it like this:
echo "$SERVER_CONFIGURATION_FILE" | awk '/<ca>/{exit} 1'
You don't need sed or awk for that. You can do it directly in the shell like this:
SERVER_CONFIGURATION_FILE="${SERVER_CONFIGURATION_FILE%%<ca>*}"
(Tested in dash; I assume busybox sh works the same way.)
${var%%pattern} expands to the contents of var, but with the longest suffix matching the glob pattern pattern stripped away.
The main problem with your sed attempt is that sed reads input one line at a time, so matches from one line wouldn't affect the other lines. (Also, your regex is slightly crazy and doesn't work like that in sed anyway.)
A working sed solution:
sed '/<ca>/{x;q}'
Or, perhaps more directly:
sed -n '/<ca>/q; p'
I.e. do not print by default; if line matches <ca>, quit; otherwise print and read the next line.
I get email alerts that are generated by a user on one of my servers. These alerts are generated by server#######.com and they have to do with third party software not working properly.
I'm trying to use procmail to copy (as I want to keep receiving these) these emails to ABC#XYZ.com.
I'm looking for emails that, in their body, have "C:" followed by 6 characters, a dot, and 3 more characters. All of that is working fine, but I want the third party to get these emails from me bruno#XXXXXX.com rather than server.
How can I copy the email to a third party AND change the from address to be bruno#XXXXX.com?
Here's the procmail file:
cat .procmailrc
DROPPRIVS=yes
LOGFILE=$HOME/procmail.log
:0 c:
* B ?? C:......\....
! ABC#XYZ.com
:0 B:
* ^To: .*alerts#XXXXXX.com
! bruno#XXXXXX.com
Inject the headers you want with formail before piping to sendmail. (Recall that ! is basically a shorthand for | $SENDMAIL $SENDMAILFLAGS.)
Do I understand correctly that the first recipe is the one you would like to modify?
:0 c # No lockfile when forwarding
* B ?? C:......\....
| formail -I 'From: bruno#XXXXXX.com' \
| $SENDMAIL $SENDMAILFLAGS ABC#XYZ.com
Your second recipe similarly should not have a lock file; see http://www.iki.fi/era/procmail/mini-faq.html#locking
We have a part of a mail filter that denies emailing system accounts for security purposes. We recently had a user created that ends in "bin". The bin user is restricted, but the user, lets say l.parrbin, gets flagged via the syntax below:
my #sysaccounts = qw(
root bin daemon adm lp sync shutdown halt mail
news uucp operator games gopher ftp nobody nscd
vcsa rpc mailnull smmsp apache pcap ntp dbus
avahi rpcusder nfsnobody sshd haldaemon xfs defang
clamav monit mysql decode webmaster mailer-daemon
nagios
);
foreach $acct(#sysaccounts){
if ($recip =~ /$acct\#/i){
md_syslog('info', 'Sysaccount Discard');
return('REJECT', "We do not accept messages to system accounts ($acct)");
}
}
How would I prevent the above code from returning REJECT if a name ends or starts with a name from the sysaccounts?
Try doing this :
if ($recip =~ /^$acct\#/i){
# ^
In regex, ^ is an anchor meaning beginning of line (string here)