regex.custom.pm not triggering rule

Post Reply
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

regex.custom.pm not triggering rule

Post by Sergio »

Hi Jonathan / Sarah,
I have declared the following custom rule in regex.custom.pm and it is not working:

Code: Select all

	if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+dovecot\wlogin authenticator failed for \(ylmf\-pc/)) {
		return ("smtp_auth attack",$1,"SMTPYLMF","1","1");
	}
I have defined my CUSTOM2_LOG as /var/log/exim_rejectlog
I have double checked the regex syntax with different compilers and all of them have detected the follow lines that were copied from /var/log/exim_rejectlog:
2014-01-21 16:56:46 dovecot_login authenticator failed for (ylmf-pc) [59.50.173.179]:3266: 535 Incorrect authentication data
2014-01-21 20:02:14 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:4264: 535 Incorrect authentication data
2014-01-21 20:02:27 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:2062: 535 Incorrect authentication data
2014-01-21 20:02:37 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:2911: 535 Incorrect authentication data
2014-01-21 20:02:54 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:3473: 535 Incorrect authentication data
2014-01-21 20:03:05 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:4274: 535 Incorrect authentication data
2014-01-21 20:06:01 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:1715: 535 Incorrect authentication data
2014-01-22 09:09:24 dovecot_login authenticator failed for (ylmf-pc) [112.67.126.243]:1212: 535 Incorrect authentication data
2014-01-22 09:09:32 dovecot_login authenticator failed for (ylmf-pc) [112.67.126.243]:1466: 535 Incorrect authentication data
but regex.custom.pm has not been triggered.

Is there something that I am missing?

Your help is appreciated.

Regards,

Sergio
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: regex.custom.pm not triggering rule

Post by ForumAdmin »

Your regex doesn't include detecting the IP address. Try, for example:

Code: Select all

/^\S+\s+\S+\s+dovecot_login authenticator failed for \(ylmf-pc\) \[(\S+)\]/
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: regex.custom.pm not triggering rule

Post by Sergio »

Thanks for your reply, certainly I will try it right away.

The weird thing is that my other rules are working without adding that, I will post the results.

Regards,

Sergio
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: regex.custom.pm not triggering rule

Post by Sergio »

It worked like a charm, thanks.

I will not forget to add the IP on future rules.

Regards,

Sergio
Post Reply