to navigate
    to select
    esc to close
    reaction

    Pattern

    A pattern is essentially a regex.

    It's included in Filters' regex to capture a specific part of the line, for example an IP or a username.

    It's referenced in a Filter and Action by its name enclosed in < and >.

    regex

    The regex this pattern must match.

    {
  patterns: {
    name: {
      regex: '[A-Z][a-z]*',
    },
  },
}
    patterns:
  name:
    regex: '[A-Z][a-z]*'

    Regex syntax is documented here

    type

    Available since v2.2.0.

    reaction ships 3 special pattern types. Those types override the regex field, so there's no need to fill it. They enable the use of extra fields, described below.

    • ip, that matches both IPv4 and IPv6,
    • ipv4, that matches IPv4,
    • ipv6, that matches IPv6.

    The default implicit type is regex, for non-IP regexes.

    Patterns of type ip unlock the use of ipv4only and ipv6only in Actions.

    {
  patterns: {
    ip: {
      type: 'ip',
    },
  },
}
    patterns:
  ip:
    type: 'ip'
    {
  patterns: {
    ip4: {
      type: 'ipv4',
    },
  },
}
    patterns:
  ip4:
    type: 'ipv4'

    ignore

    A list of values to ignore.

    {
  patterns: {
    name: {
      regex: '[A-Z][a-z]*',
      ignore: [
        'Alice',
        'Bob',
      ],
    },
  },
}
    patterns:
  name:
    regex: '[A-Z][a-z]*'
    ignore:
     - 'Alice'
     - 'Bob'

    A reasonable minimum for IPs is to ignore your local IPs, and your internet gateway.

    {
 patterns: {
   name: {
     type: 'ip',
     ignore: [
       '127.0.0.1',
       '::1',
       // add your gateway here
     ],
   },
 },
}
    patterns:
  name:
    type: 'ip'
    ignore:
     -  '127.0.0.1'
     -  '::1'
     # add your gateway here

    ignoreregex

    A list of regex to ignore.

    regex must match the full Match.

    {
  patterns: {
    name: {
      regex: '[A-Z][a-z]*',
      ignoreregex: [
        # Ignore names starting with Chr
        'Chr.*',
      ],
    },
  },
}
    patterns:
  name:
    regex: '[A-Z][a-z]*'
    ignoreregex:
      # Ignore names starting with Chr
      - 'Chr.*'

    Regex syntax is documented here

    ignorecidr

    Available since v2.2.0.

    Only for patterns of an IP type.

    A list of IP networks to ignore, with CIDR notation.

    {
  patterns: {
    ip: {
      type: 'ip',
      ignorecidr: [
        '192.168.1.0/24',
        '2001:db8:2345:3456::/64',
      ],
    },
  },
}
    patterns:
  ip:
    type: 'ip'
    ignorecidr:
      - '192.168.1.0/24'
      - '2001:db8:2345:3456::/64'

    A reasonable minimum for IPs is to ignore the link-local range.

    {
 patterns: {
   name: {
     type: 'ip',
     ignorecidr: [
       'fe80::/10',
     ],
   },
 },
}
    patterns:
  name:
    type: 'ip'
    ignorecidr:
     -  'fe80:::/10'

    ipv4mask and ipv6mask

    Available since v2.2.0.

    Only for patterns of an IP type.

    Group IP Matches by network.

    IPv6 are very cheap: malicious actors typically have 2^64 IPv6, with a /64 network mask. This is common even on residential IPs.

    {
  patterns: {
    ip: {
      type: 'ip',
      ipv6mask: 64,
    },
  },
}
    patterns:
  ip:
    type: 'ip'
    ipv6mask: 64

    With this configuration, those IPv6s will be grouped:

    2001:db8:2345:3456::1
2001:db8:2345:3456::2
2001:db8:2345:3456::3

    And the corresponding action will be run with the network mask:

    2001:db8:2345:3456::/64

    This is also possible for IPv4. Be careful doing this! Some actors may have only 1, 2, 4 IPs from a range, so this may be a bad idea.

    {
  patterns: {
    ip: {
      type: 'ip',
      ipv4mask: 30, // 24 ...
      ipv6mask: 64,
    },
  },
}
    patterns:
  ip:
    type: 'ip'
    ipv4mask: 30 # 24 ...
    ipv6mask: 64
    • ipv4mask only makes sense with patterns of type ip and ipv4.
    • ipv6mask only makes sense with patterns of type ip and ipv6.
    Edit this page