@@ -57,24 +57,49 @@ private void AssertLogFilesToParse(IPBanConfig cfg)
5757 {
5858 const int maxFileSize = 16777216 ;
5959 const int pingInterval = 10000 ;
60- const string pathAndMask1 = "/var/log/auth*.log\n /var/log/secure*" ;
61- const string pathAndMask2 = "/var/log/ipbancustom*.log" ;
62- const string pathAndMask3 = "C:/Program Files/Microsoft/Exchange Server/*.log" ;
63- const string pathAndMask4 = "C:/IPBanCustomLogs/*.log" ;
64- const string failedRegex1 = @"failed\s+password\s+for\s+(invalid\s+user\s+)?(?<username>.+?\s+)from\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+ssh|did\s+not\s+receive\s+identification\s+string\s+from\s+(?<ipaddress>[^\s]+)|connection\s+closed\s+by\s+(invalid\s+user\s+)?(?<username>.+?\s+)?(?<ipaddress>.+?)\s+port\s+[0-9]+\s+\[preauth\]\s*(\(no\s+attempt\s+to\s+login\s+after\s+timeout\))?|disconnected\s+from\s+(invalid\s+user\s+)?(?<username>.+?)\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+\[preauth\]|disconnected\s+from\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+\[preauth\]|disconnected\s+from\s+authenticating\s+user\s+(?<username>.+?)\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+\[preauth\]" ;
65- const string successRegex1 = @"Accepted\s+password\s+for\s+(?<username>.+?)\s+from\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+ssh" ;
66- const string failedRegex2 = @"ipban\sfailed\slogin,\sip\saddress:\s(?<ipaddress>.+?),\ssource:\s(?<source>.+?),\suser:\s?(?<username>[^\s,]+)?" ;
67- const string successRegex2 = @"ipban\ssuccess\slogin,\sip\saddress:\s(?<ipaddress>.+?),\ssource:\s(?<source>.+?),\suser:\s?(?<username>[^\s,]+)?" ;
68- const string failedRegex3 = @".*?,.*?,.*?,.*?,(?<ipaddress>.+?),(?<username>.+?),.*?AuthFailed" ;
69- const string successRegex3 = @"" ;
70- const string failedRegex4 = @"ipban\sfailed\slogin,\sip\saddress:\s(?<ipaddress>.+?),\ssource:\s(?<source>.+?),\suser:\s?(?<username>[^\s,]+)?" ;
71- const string successRegex4 = @"ipban\ssuccess\slogin,\sip\saddress:\s(?<ipaddress>.+?),\ssource:\s(?<source>.+?),\suser:\s?(?<username>[^\s,]+)?" ;
72-
73- Assert . AreEqual ( 4 , cfg . LogFilesToParse . Count ) ;
74- AssertLogFileToParse ( cfg . LogFilesToParse [ 0 ] , failedRegex1 , maxFileSize , pathAndMask1 , pingInterval , "Linux" , false , "SSH" , successRegex1 ) ;
75- AssertLogFileToParse ( cfg . LogFilesToParse [ 1 ] , failedRegex2 , maxFileSize , pathAndMask2 , pingInterval , "Linux" , false , "IPBanCustom" , successRegex2 ) ;
76- AssertLogFileToParse ( cfg . LogFilesToParse [ 2 ] , failedRegex3 , maxFileSize , pathAndMask3 , pingInterval , "Windows" , true , "MSExchange" , successRegex3 ) ;
77- AssertLogFileToParse ( cfg . LogFilesToParse [ 3 ] , failedRegex4 , maxFileSize , pathAndMask4 , pingInterval , "Windows" , true , "IPBanCustom" , successRegex4 ) ;
60+
61+ // path and mask, fail expression, success expression, platform regex, recursive, source
62+ object [ ] logFileData = new object [ ]
63+ {
64+ "/var/log/auth*.log\n /var/log/secure*" ,
65+ @"failed\s+password\s+for\s+(invalid\s+user\s+)?(?<username>.+?\s+)from\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+ssh|did\s+not\s+receive\s+identification\s+string\s+from\s+(?<ipaddress>[^\s]+)|connection\s+closed\s+by\s+(invalid\s+user\s+)?(?<username>.+?\s+)?(?<ipaddress>.+?)\s+port\s+[0-9]+\s+\[preauth\]\s*(\(no\s+attempt\s+to\s+login\s+after\s+timeout\))?|disconnected\s+from\s+(invalid\s+user\s+)?(?<username>.+?)\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+\[preauth\]|disconnected\s+from\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+\[preauth\]|disconnected\s+from\s+authenticating\s+user\s+(?<username>.+?)\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+\[preauth\]" ,
66+ @"Accepted\s+password\s+for\s+(?<username>.+?)\s+from\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+ssh" ,
67+ "Linux" , false , "SSH" ,
68+
69+ "/var/log/ipbancustom*.log" ,
70+ @"ipban\sfailed\slogin,\sip\saddress:\s(?<ipaddress>.+?),\ssource:\s(?<source>.+?),\suser:\s?(?<username>[^\s,]+)?" ,
71+ @"ipban\ssuccess\slogin,\sip\saddress:\s(?<ipaddress>.+?),\ssource:\s(?<source>.+?),\suser:\s?(?<username>[^\s,]+)?" ,
72+ "Linux" , false , "IPBanCustom" ,
73+
74+ "C:/Program Files/Microsoft/Exchange Server/*.log" ,
75+ @".*?,.*?,.*?,.*?,(?<ipaddress>.+?),(?<username>.+?),.*?AuthFailed" ,
76+ @"" ,
77+ "Windows" , true , "MSExchange" ,
78+
79+ "C:/Program Files/Smarter Tools/Smarter Mail/*.log\n C:/ Program Files(x86) / Smarter Tools / Smarter Mail/*.log\n C:/SmarterMail/logs/*.log\n C:/Smarter Mail/logs/*.log" ,
80+ @"\[(?<ipaddress>[^\]]+)\](\[.*?\]\s+)?((The domain given in the blocking rule EHLO command violates an EHLO SMTP\.\s*Any authentication attempts or RCPT commands will be rejected)|IP blocked by brute force abuse detection rule)" ,
81+ @"" ,
82+ "Windows" , true , "SmarterMail" ,
83+
84+ "C:/IPBanCustomLogs/*.log" ,
85+ @"ipban\sfailed\slogin,\sip\saddress:\s(?<ipaddress>.+?),\ssource:\s(?<source>.+?),\suser:\s?(?<username>[^\s,]+)?" ,
86+ @"ipban\ssuccess\slogin,\sip\saddress:\s(?<ipaddress>.+?),\ssource:\s(?<source>.+?),\suser:\s?(?<username>[^\s,]+)?" ,
87+ "Windows" , true , "IPBanCustom"
88+ } ;
89+
90+ Assert . AreEqual ( logFileData . Length / 6 , cfg . LogFilesToParse . Count ) ;
91+ for ( int i = 0 ; i < logFileData . Length ; i += 6 )
92+ {
93+ AssertLogFileToParse ( cfg . LogFilesToParse [ i / 6 ] ,
94+ ( string ) logFileData [ i + 1 ] ,
95+ maxFileSize ,
96+ ( string ) logFileData [ i ] ,
97+ pingInterval ,
98+ ( string ) logFileData [ i + 3 ] ,
99+ ( bool ) logFileData [ i + 4 ] ,
100+ ( string ) logFileData [ i + 5 ] ,
101+ ( string ) logFileData [ i + 2 ] ) ;
102+ }
78103 }
79104
80105 private void AssertEventViewerGroup ( EventViewerExpressionGroup group , string keywords , int windowsMinimumMajorVersion , int windowsMinimumMinorVersion ,
0 commit comments