I have declared the following custom rule in regex.custom.pm and it is not working:
Code: Select all
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+dovecot\wlogin authenticator failed for \(ylmf\-pc/)) {
return ("smtp_auth attack",$1,"SMTPYLMF","1","1");
}
I have double checked the regex syntax with different compilers and all of them have detected the follow lines that were copied from /var/log/exim_rejectlog:
but regex.custom.pm has not been triggered.2014-01-21 16:56:46 dovecot_login authenticator failed for (ylmf-pc) [59.50.173.179]:3266: 535 Incorrect authentication data
2014-01-21 20:02:14 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:4264: 535 Incorrect authentication data
2014-01-21 20:02:27 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:2062: 535 Incorrect authentication data
2014-01-21 20:02:37 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:2911: 535 Incorrect authentication data
2014-01-21 20:02:54 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:3473: 535 Incorrect authentication data
2014-01-21 20:03:05 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:4274: 535 Incorrect authentication data
2014-01-21 20:06:01 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:1715: 535 Incorrect authentication data
2014-01-22 09:09:24 dovecot_login authenticator failed for (ylmf-pc) [112.67.126.243]:1212: 535 Incorrect authentication data
2014-01-22 09:09:32 dovecot_login authenticator failed for (ylmf-pc) [112.67.126.243]:1466: 535 Incorrect authentication data
Is there something that I am missing?
Your help is appreciated.
Regards,
Sergio