{
	"iptables_chain": "Firewall-1-Banned",
	"allowed_ips": [
		"127.0.0.1"
	],
	"/var/log/messages": [
		{
			"name": "purftpd - failed login",
			"date_format": "syslog",
			"rule": "^(\\w{3} \\d+ \\d{2}:\\d{2}:\\d{2}) \\w+ pure\\-ftpd: \\(\\?@([\\d.]+)+\\) \\[WARNING\\] (Authentication failed for user \\[.*?\\])",
			"format": "date_ip_message",
			"threshold": 5,
			"action": "ban",
			"ban_time": 21600
		}
	],
	"/var/log/audit/audit.log": [
		{
			"name": "audit - failed ssh auth",
			"date_format": "epoch",
			"rule": "^type=USER_AUTH msg=audit\\((\\d+)[\\d.:]+\\): .* msg='PAM: authentication acct=\"(.*?)\" : exe=\".*/sshd\" \\(hostname=.*?, addr=([\\d.]+), terminal=.* res=failed\\)'",
			"format": "date_message_ip",
			"threshold": 6,
			"action": "ban",
			"ban_time": 86400
		}
	],
	"/var/log/httpd/*-access_log": [
		{
			"name": "httpd - '=../' in the GET params",
			"date_format": "httpd",
			"rule": "^([\\d.]+) - - \\[(\\d+/[A-Za-z]+/\\d+:\\d+:\\d+:\\d+ [+-]\\d+)\\] (\"GET .*?=\\.\\./.*? HTTP/\\d.\\d\" \\d+ \\d+)",
			"format": "ip_date_message",
			"threshold": 1,
			"action": "ban",
			"ban_time": 86400
		}
	]
}