regex.custom.pm specifc user trap

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
Nerigal
Junior Member
Posts: 33
Joined: 17 Jun 2009, 16:15

regex.custom.pm specifc user trap

Post by Nerigal »

Hi,

i made a regex to trap custom fail under dovecot based on specific user that will never exist on my servers

if (( $lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\d+\s+\d+\:\d+\:\d+\s+[^\s\.]+\s+dovecot\:\s+pop3\-login\:\s+Disconnected\s+\((auth\s+failed)\,\s+\d+\s+attempts\)\: user\=\<(?:administrator|account|backup|bin|fax|newsletter|news|postgres|root|smtp|staff|training|user|www|web)\>\, method\=PLAIN\,\s+rip\=(\d+\.\d+\.\d+\.\d+), lip=/)) {

return ("custom Failed POP3 login from","$2","pop3d","1","0:65535","1");
}

actually it "work" because i see it in the lfd.log file but the firewall never trigger at 1 fail as it should be...
AND LF_TRIGGER is set to 0

thanks
Top
Nerigal
Junior Member
Posts: 33
Joined: 17 Jun 2009, 16:15

Re: regex.custom.pm specifc user trap

Post by Nerigal »

i think i found the answer myself but not sure yet...

in the lfd.conf
elsif ($app eq "pop3d") {$trigger = "LF_POP3D"}

so if your app name match a know app in the lfd.pl it will reset the trigger value by the config file trigger value
Top
Post Reply

Return to “Report Bugs (csf)”