Next
diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf
index 962fb2e..ee5eeca 100644
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@@ -5,6 +5,12 @@
# $Revision$
#
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
[Definition]
# Option: failregex
@@ -14,9 +20,7 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
-failregex = [[]client <HOST>[]] user .* authentication failure
- [[]client <HOST>[]] user .* not found
- [[]client <HOST>[]] user .* password mismatch
+failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/apache-common.conf b/config/filter.d/apache-common.conf
new file mode 100644
index 0000000..c3829e2
--- /dev/null
+++ b/config/filter.d/apache-common.conf
@@ -0,0 +1,17 @@
+# Generic configuration items (to be used as interpolations) in other
+# apache filters
+#
+# Author: Yaroslav Halchenko
+#
+#
+
+[INCLUDES]
+
+# Load customizations if any available
+after = apache-common.local
+
+
+[DEFAULT]
+
+# Common prefix for [error] apache messages which also would include <HOST>
+_apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\]
diff --git a/config/filter.d/apache-nohome.conf b/config/filter.d/apache-nohome.conf
index b6a0000..32ceebd 100644
--- a/config/filter.d/apache-nohome.conf
+++ b/config/filter.d/apache-nohome.conf
@@ -5,6 +5,12 @@
# $Revision$
#
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
[Definition]
# Option: failregex
@@ -14,7 +20,7 @@
# per-domain log files.
# Values: TEXT
#
-failregex = [[]client <HOST>[]] File does not exist: .*/~.*
+failregex = ^%(_apache_error_client)s File does not exist: .*/~.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf
index 4746fbf..20127e1 100644
--- a/config/filter.d/apache-noscript.conf
+++ b/config/filter.d/apache-noscript.conf
@@ -5,6 +5,12 @@
# $Revision$
#
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
[Definition]
# Option: failregex
@@ -14,8 +20,8 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
-failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
- [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
+failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
+ ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf
index 4567f7d..b33d81b 100644
--- a/config/filter.d/apache-overflows.conf
+++ b/config/filter.d/apache-overflows.conf
@@ -5,13 +5,19 @@
# $Revision$
#
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
[Definition]
# Option: failregex
# Notes.: Regexp to catch Apache overflow attempts.
# Values: TEXT
#
-failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
+failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff --git a/testcases/files/logs/apache-auth b/testcases/files/logs/apache-auth
new file mode 100644
index 0000000..cf0f6d3
--- /dev/null
+++ b/testcases/files/logs/apache-auth
@@ -0,0 +1,5 @@
+# Should not match -- DoS vector https://vndh.net/note:fail2ban-089-denial-service
+[Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found
+
+# should match
+[Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found
diff --git a/testcases/files/logs/apache-noscript b/testcases/files/logs/apache-noscript
new file mode 100644
index 0000000..5d5d35f
--- /dev/null
+++ b/testcases/files/logs/apache-noscript
@@ -0,0 +1 @@
+[Sun Jun 09 07:57:47 2013] [error] [client 192.0.43.10] script '/usr/lib/cgi-bin/gitweb.cgiwp-login.php' not found or unable to stat
