我在下面有以下文件,我希望有一些正则表达式可以解析该文件并提供类似
的输出139.162.78.135:41448 TLS错误:TLS握手失败
139.162.78.135:41448连接重置,重新启动
TLS错误:来自[AF_INET] 139.162.78.135:41448的传入数据包身份验证失败
139.162.78.135:41448致命的TLS错误
139.162.78.135:41448验证错误
139.162.78.135:41448错误的封装数据包长度
注意:这是针对一个名为fail2ban的程序的,这样我就可以轻松禁止试图入侵服务器的这些ips。
我试图像这样\d+\.\d+\.\d+\.\d+:\d+ Connection reset, restarting来解析连接重置行,但是我不知道如何形成可以一次性匹配其余部分的另一个表达式。
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41448 Connection reset, restarting [0]
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41448 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]139.162.78.135:41828
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41828 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41828 Connection reset, restarting [0]
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41828 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:52:47 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]67.52.172.103:2577
Jun 19 04:52:47 Server ovpn-openvpn_tcp[856]: 67.52.172.103:2577 Connection reset, restarting [0]
Jun 19 04:52:47 Server ovpn-openvpn_tcp[856]: 67.52.172.103:2577 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:52:48 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]67.52.172.103:63975
Jun 19 04:52:48 Server ovpn-openvpn_tcp[856]: 67.52.172.103:63975 Connection reset, restarting [-1]
Jun 19 04:52:48 Server ovpn-openvpn_tcp[856]: 67.52.172.103:63975 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:56:52 Server ovpn-openvpn_udp[811]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.55:55292
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]154.16.133.10:13456
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13456 Connection reset, restarting [-1]
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13456 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]154.16.133.10:13769
Jun 19 09:17:59 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13769 Connection reset, restarting [-1]
Jun 19 09:17:59 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13769 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 09:19:25 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]184.105.139.70:50240
Jun 19 09:19:26 Server ovpn-openvpn_tcp[856]: 184.105.139.70:50240 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 09:19:26 Server ovpn-openvpn_tcp[856]: 184.105.139.70:50240 Connection reset, restarting [0]
Jun 19 09:19:26 Server ovpn-openvpn_tcp[856]: 184.105.139.70:50240 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 14:11:58 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]223.146.71.5:59970
Jun 19 14:11:58 Server ovpn-openvpn_tcp[856]: 223.146.71.5:59970 Connection reset, restarting [0]
Jun 19 14:11:58 Server ovpn-openvpn_tcp[856]: 223.146.71.5:59970 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]223.146.71.5:60145
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: 223.146.71.5:60145 WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: 223.146.71.5:60145 Connection reset, restarting [0]
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: 223.146.71.5:60145 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 14:25:16 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]112.113.195.89:3079
Jun 19 14:26:16 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 19 14:26:16 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 TLS Error: TLS handshake failed
Jun 19 14:26:16 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 Fatal TLS error (check_tls_errors_co), restarting
Jun 19 14:26:17 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 SIGUSR1[soft,tls-error] received, client-instance restarting
Jun 19 16:27:19 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]213.202.230.144:2616
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 TLS Error: TLS handshake failed
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 Fatal TLS error (check_tls_errors_co), restarting
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 SIGUSR1[soft,tls-error] received, client-instance restarting
Jun 19 16:59:10 Server ovpn-openvpn_udp[811]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.41:40431
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]178.73.215.171:23509
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: 178.73.215.171:23509 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: 178.73.215.171:23509 Connection reset, restarting [0]
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: 178.73.215.171:23509 SIGUSR1[soft,connection-reset] received, client-instance restarting
答案 0 :(得分:1)
使用|分隔要捕获的不同选项。由于大多数选项都以IP地址开头,因此您可以在所有选项中共享IP匹配的正则表达式。
这里是一个带有一些“格式”的正则表达式,用于更轻松地了解正在发生的事情;在真实的正则表达式中删除不必要的空格和行尾标记:
\d+\.\d+\.\d+\.\d+:\d+
(?:
Connection reset, restarting
| TLS Error: TLS handshake failed
| Fatal TLS Error
| VERIFY ERROR
| Bad encapsulated packet length
)
| TLS Error: incoming packet authentication failed from [AF_INET]\d+\.\d+\.\d+\.\d+:\d+
答案 1 :(得分:1)
我认为这个问题可以分为两个部分:
使用“或”和“组”运算符表示模式
我认为可以使用|运算符和( )分组运算符来处理IP地址后面的多种可能性:
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5} (Connection reset|TLS Error|Fatal TLS Error|VERIFY ERROR|Bad encapsulated packet length)
更复杂的情况是IP地址最后出现的可能性,例如消息
6月19日16:59:10服务器ovpn-openvpn_udp [811]:TLS错误:无法在[AF_INET] 185.200.118.41:40431的传入数据包中找到HMAC
我认为一种快速而肮脏的解决方案可能是用一对()包装这种情况,然后用另一对()包装这种情况,然后|将它们包装在一起:
((TLS Error.+\[AF_INET\])(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}))|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5} (Connection reset|TLS Error|Fatal TLS Error|VERIFY ERROR|Bad encapsulated packet length))
使用此正则表达式,用户将能够获得包含有趣模式的行。此模式包括IP地址和错误信息,现在,再进一步一步,用户就可以提取感兴趣的部分(在这种情况下,是IP地址和端口号)---
仅退回匹配的零件
要告诉正则表达式某部分不是匹配结果的一部分(例如,仅用作定界符),可以将它们声明为“ lookaheads”((?=blah blah))。下面显示了带有grep的单线提取程序如何入侵者:
$ grep -P "((?=TLS Error.+\[AF_INET\])(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}))|((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}) (?=Connection reset|TLS Error|Fatal TLS Error|VERIFY ERROR|Bad encapsulated packet length))" -o temp.txt
67.52.172.103:63975
154.16.133.10:13456
154.16.133.10:13769
184.105.139.70:50240
223.146.71.5:59970
223.146.71.5:60145
112.113.195.89:3079
112.113.195.89:3079
213.202.230.144:2616
213.202.230.144:2616
178.73.215.171:23509
-o告诉grep只返回匹配的部分; -P告诉grep使用PCRE regex而不是POSIX regex。
希望这可能有用!