Fatal编程技术网
  • regex/
  • Regex 正则表达式匹配多个不同的行

Regex 正则表达式匹配多个不同的行

regex

Regex 正则表达式匹配多个不同的行,regex,Regex,我有下面的文件,我想有一些正则表达式,可以解析文件,并给我一个输出,如 139.162.78.135:41448 TLS错误:TLS握手失败 139.162.78.135:41448连接复位,重新启动 TLS错误:来自[AF_INET]139.162.78.135:41448的传入数据包身份验证失败 139.162.78.135:41448致命TLS错误 139.162.78.135:41448验证错误 139.162.78.135:41448错误封装的数据包长度 注意:这是一个名为fail2b

我有下面的文件,我想有一些正则表达式,可以解析文件,并给我一个输出,如

139.162.78.135:41448 TLS错误:TLS握手失败

139.162.78.135:41448连接复位,重新启动

TLS错误:来自[AF_INET]139.162.78.135:41448的传入数据包身份验证失败

139.162.78.135:41448致命TLS错误

139.162.78.135:41448验证错误

139.162.78.135:41448错误封装的数据包长度

注意:这是一个名为fail2ban的程序,这样我就可以轻松地禁止这些试图入侵我的服务器的IP

我试图像这样解析连接重置行
\d+\.\d+\.\d+\.\d+:\d+连接重置,重新启动
,但我不知道如何形成另一个表达式,可以一次匹配其余的表达式

Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41448 Connection reset, restarting [0]
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41448 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]139.162.78.135:41828
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41828 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41828 Connection reset, restarting [0]
Jun 19 04:27:29 Server ovpn-openvpn_tcp[856]: 139.162.78.135:41828 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:52:47 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]67.52.172.103:2577
Jun 19 04:52:47 Server ovpn-openvpn_tcp[856]: 67.52.172.103:2577 Connection reset, restarting [0]
Jun 19 04:52:47 Server ovpn-openvpn_tcp[856]: 67.52.172.103:2577 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:52:48 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]67.52.172.103:63975
Jun 19 04:52:48 Server ovpn-openvpn_tcp[856]: 67.52.172.103:63975 Connection reset, restarting [-1]
Jun 19 04:52:48 Server ovpn-openvpn_tcp[856]: 67.52.172.103:63975 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 04:56:52 Server ovpn-openvpn_udp[811]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.55:55292
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]154.16.133.10:13456
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13456 Connection reset, restarting [-1]
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13456 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 09:17:44 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]154.16.133.10:13769
Jun 19 09:17:59 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13769 Connection reset, restarting [-1]
Jun 19 09:17:59 Server ovpn-openvpn_tcp[856]: 154.16.133.10:13769 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 09:19:25 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]184.105.139.70:50240
Jun 19 09:19:26 Server ovpn-openvpn_tcp[856]: 184.105.139.70:50240 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 09:19:26 Server ovpn-openvpn_tcp[856]: 184.105.139.70:50240 Connection reset, restarting [0]
Jun 19 09:19:26 Server ovpn-openvpn_tcp[856]: 184.105.139.70:50240 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 14:11:58 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]223.146.71.5:59970
Jun 19 14:11:58 Server ovpn-openvpn_tcp[856]: 223.146.71.5:59970 Connection reset, restarting [0]
Jun 19 14:11:58 Server ovpn-openvpn_tcp[856]: 223.146.71.5:59970 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]223.146.71.5:60145
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: 223.146.71.5:60145 WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: 223.146.71.5:60145 Connection reset, restarting [0]
Jun 19 14:11:59 Server ovpn-openvpn_tcp[856]: 223.146.71.5:60145 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 19 14:25:16 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]112.113.195.89:3079
Jun 19 14:26:16 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 19 14:26:16 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 TLS Error: TLS handshake failed
Jun 19 14:26:16 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 Fatal TLS error (check_tls_errors_co), restarting
Jun 19 14:26:17 Server ovpn-openvpn_tcp[856]: 112.113.195.89:3079 SIGUSR1[soft,tls-error] received, client-instance restarting
Jun 19 16:27:19 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]213.202.230.144:2616
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 TLS Error: TLS handshake failed
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 Fatal TLS error (check_tls_errors_co), restarting
Jun 19 16:28:19 Server ovpn-openvpn_tcp[856]: 213.202.230.144:2616 SIGUSR1[soft,tls-error] received, client-instance restarting
Jun 19 16:59:10 Server ovpn-openvpn_udp[811]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.41:40431
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: TCP connection established with [AF_INET]178.73.215.171:23509
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: 178.73.215.171:23509 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: 178.73.215.171:23509 Connection reset, restarting [0]
Jun 19 19:00:17 Server ovpn-openvpn_tcp[856]: 178.73.215.171:23509 SIGUSR1[soft,connection-reset] received, client-instance restarting

Jun 19 04:27:29服务器ovpn-openvpn_tcp[856]:139.162.78.135:41448连接重置,重新启动[0]
Jun 19 04:27:29服务器ovpn-openvpn_tcp[856]:139.162.78.135:41448 SIGUSR1[软,连接重置]已收到,客户端实例正在重新启动
Jun 19 04:27:29服务器ovpn-openvpn_tcp[856]:与[AF_INET]建立tcp连接139.162.78.135:41828

6月19日04:27:29服务器ovpn-openvpn_tcp[856]:139.162.78.135:41828警告:来自对等方(18245)的错误封装数据包长度,必须大于0和0以及0和0,并且使用
分隔要捕获的不同选项。由于大多数选项都以IP地址开始,因此您可以在所有选项之间共享您的IP匹配正则表达式

这里是一个带有一些“格式”的正则表达式,以便更容易理解正在发生的事情;删除实际正则表达式中不必要的空格和行尾标记:


\d+\.\d+\.\d+\.\d+:\d+ 
    (?:
        Connection reset, restarting
    |   TLS Error: TLS handshake failed
    |   Fatal TLS Error
    |   VERIFY ERROR
    |   Bad encapsulated packet length
    )
|   TLS Error: incoming packet authentication failed from [AF_INET]\d+\.\d+\.\d+\.\d+:\d+



我认为这个问题可以分为两部分:


  • 使用什么正则表达式来表示模式,以及
    • 

  • 如何捕获OP感兴趣的IP地址
    • 
用“或”和“组”运算符表示模式
    
我认为IP地址后面的多种可能性可以通过使用
    操作符和
    分组操作符来处理:
    

    \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5} (Connection reset|TLS Error|Fatal TLS Error|VERIFY ERROR|Bad encapsulated packet length)

    
更复杂的情况是IP地址最后出现的可能性,例如在消息中
    
Jun 19 16:59:10服务器ovpn-openvpn_udp[811]:TLS错误:无法在来自[AF_INET]185.200.118.41:40431的传入数据包中找到HMAC
    
我认为一个快速而肮脏的解决方案可能是用一对
    ()
    包装这个箱子,用另一对
    ()
    包装其他箱子,然后将它们一起包装:
    

    ((TLS Error.+\[AF_INET\])(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}))|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5} (Connection reset|TLS Error|Fatal TLS Error|VERIFY ERROR|Bad encapsulated packet length))

    
使用这个正则表达式,用户将能够获得包含有趣模式的行。此模式包括IP地址和错误信息,现在再进行一步,用户可以提取感兴趣的部分(在本例中为IP地址和端口号)---
    
仅返回匹配的部分
    
要告诉正则表达式某些部分不是匹配结果的一部分(例如,仅用作分隔符),可以将它们声明为“lookaheads”(
    (?=blah blah)
    )。下面显示了使用grep的一行程序如何提取入侵者:
    

    $ grep -P "((?=TLS Error.+\[AF_INET\])(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}))|((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}) (?=Connection reset|TLS Error|Fatal TLS Error|VERIFY ERROR|Bad encapsulated packet length))" -o temp.txt

67.52.172.103:63975
154.16.133.10:13456
154.16.133.10:13769
184.105.139.70:50240
223.146.71.5:59970
223.146.71.5:60145
112.113.195.89:3079
112.113.195.89:3079
213.202.230.144:2616
213.202.230.144:2616
178.73.215.171:23509

    

    -o
    告诉grep只返回匹配的部分
    -P
    告诉grep使用PCRE正则表达式而不是POSIX正则表达式
    

    希望这可能是有用的
     “其余的”是什么意思?其他人呢?否则,需要在正则表达式中添加大量的智能。@sln,我只匹配了“连接重置,重新启动”,但我也希望匹配其他选项,如此处显示的所有IP的“TLS错误”或“验证错误”。因此,它在新行中给出了匹配项。
    (\d{3}\.\d{2,3}\.\d{2,3}\.\d{2,3}\:\d{4,6})
    应该捕获IP和端口。你需要更多的时间来捕捉剩下的。如果你想捕捉每一行,你可以做这个
    (\d{3}\.\d{2,3}\.\d{2,3}\.\d{2,3}\:\d{4,6}.*$)
    我不明白你的意思。我理解这一行的其余部分。如果你只是想去掉最初的部分,你也可以这样做<代码>*ovpn-openvpn{3}\[\d{3}\]\:\s(.*)$