From a58fcb87867f1ec83b98da224872041244f69843 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 14 Nov 2022 19:00:08 +0100 Subject: [PATCH] fix cut out of match for pattern with `{EPOCH}` (similar to other datepatterns group capturing whole regex only added if no groups specified at all); allows to specify more precise anchored patterns, for example `datepattern = ^type=\S+ msg=audit\(({EPOCH})` for selinux-filters --- fail2ban/server/datetemplate.py | 6 ++++-- fail2ban/tests/datedetectortestcase.py | 9 +++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/fail2ban/server/datetemplate.py b/fail2ban/server/datetemplate.py index e02772d850..518805bbe0 100644 --- a/fail2ban/server/datetemplate.py +++ b/fail2ban/server/datetemplate.py @@ -227,8 +227,10 @@ def __init__(self, lineBeginOnly=False, pattern=None, longFrm=False): self.name = "LongEpoch" if not pattern else pattern epochRE = r"\d{10,11}(?:\d{3}(?:\.\d{1,6}|\d{3})?)?" if pattern: - # pattern should capture/cut out the whole match: - regex = "(" + RE_EPOCH_PATTERN.sub(lambda v: "(%s)" % epochRE, pattern) + ")" + # pattern should find the whole pattern, but cut out grouped match (or whole match if no groups specified): + regex = RE_EPOCH_PATTERN.sub(lambda v: "(%s)" % epochRE, pattern) + if not RE_GROUPED.search(pattern): + regex = "(" + regex + ")" self._grpIdx = 2 self.setRegex(regex) elif not lineBeginOnly: diff --git a/fail2ban/tests/datedetectortestcase.py b/fail2ban/tests/datedetectortestcase.py index 83dd26719e..bc33bc0528 100644 --- a/fail2ban/tests/datedetectortestcase.py +++ b/fail2ban/tests/datedetectortestcase.py @@ -119,6 +119,15 @@ def testGetEpochPattern(self): log = log % dateLong datelog = self.datedetector.getTime(log) self.assertFalse(datelog) + + def testGetEpochPatternCut(self): + self.__datedetector = DateDetector() + self.__datedetector.appendTemplate(r'^type=\S+ msg=audit\(({EPOCH})') + # correct epoch time and cut out epoch string only (captured group only, not the whole match): + line = "type=USER_AUTH msg=audit(1106513999.000:987)" + datelog = self.datedetector.getTime(line) + timeMatch = datelog[1] + self.assertEqual([int(datelog[0]), line[timeMatch.start(1):timeMatch.end(1)]], [1106513999, '1106513999.000']) def testGetTime(self): log = "Jan 23 21:59:59 [sshd] error: PAM: Authentication failure"