newbie using regex.custom.pm

[edwardsmarkf]

sergio - i believe the date string [04/Apr/2014:02:01:45 -0400] cannot be matched with \S+ since it contains semicolons, dashes and spaces. so i used .+ instead.

this seems to be working:

Code: Select all

#50.22.3.226 - - [04/Apr/2014:02:01:45 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"
#50.22.3.226 - - [04/Apr/2014:02:01:50 -0400] "POST /wp-login.php HTTP/1.0" 403 214 "-" "-"

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[(.+)\] "POST \/wp-login\.php HTTP\S+" [500,403]/)) {
                #if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[([\S+,\s])\] "POST \/wp-login\.php HTTP\S+" [500,403]/)) {
                #if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[\S+\] "POST \/wp-login\.php \S+" 500/)) {
        open (LOGFILE, '>>/tmp/regex.custom.pm.log');
        print LOGFILE localtime . ' - ' . $1 . ' - ' . $2 . "\n";
        close (LOGFILE);
  return ("Failed wp-login.php login from",$1,"wp-login.php","1","80","60");
}

advice to newbies: write this out first to make sure your regex works properly:

Code: Select all

#!/usr/bin/perl

#$line = '50.22.3.226 - - [04/Apr/2014:02:01:45 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"';
$line = '50.22.3.226 - - [04/Apr/2014:02:01:50 -0400] "POST /wp-login.php HTTP/1.0" 403 214 "-" "-"';

if ( ($line =~ /(\S+) - - \[(.+)\] "POST \/wp-login\.php HTTP\S+" [500,403]/)) {
  print ("Failed wp-login.php login from",$1,"wp-login.php","1","80","60");
}

~
~
~
~
~

[Sergio]

I have created a lot of regex rules, I have some showing in my sticky at viewtopic.php?f=6&t=7517
and in all of them I use the date with the \S+ without any issues, maybe your OS is different than the one that I use. But if your rule is working now, that is good, as I mentioned earlier "as I don't have a way to test this rules my self, use my rule as an starting point".

Glad to know that you are now blocking that pesky IPs.

[edwardsmarkf]

Code: Select all

#examples from the virtualmin log file:

#50.22.3.226 - - [04/Apr/2014:02:01:50 -0400] "POST /wp-login.php HTTP/1.0" 403 214 "-" "-"

#184.170.142.193 - - [04/Apr/2014:13:27:22 -0400] "GET /wp-login.php HTTP/1.1" 403 214 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"

if (($lgfine eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[(.+)\] "(POS|GE)T \/wp-login\.php HTTP\S+" [500,403]/)) {
        open (LOGFILE, '>>/tmp/regex.custom.pm.log');
        print LOGFILE localtime(time) . ' -- ' . $line  . "\n";
        close (LOGFILE);
  return ('Failed wp-login.php login from ',$1,"wp-login.php","1","80","3600");
}

according to the perl documentation, backslash-S only catches non-space characters:
http://perldoc.perl.org/perlre.html

\S [3] Match a non-whitespace character

if i were more motivated, i would write a regex that actually looks for the date as well, and follow it with a slash-x, so i could include regex comments as well. but i am going to chalk this up as a 'win' for now!

THANK YOU AGAIN FOR ALL YOUR GRACIOUS HELP !

[Sergio]

In the regex that I create:
\S+ = one or more characters (capital S)
\s+ = one or more spaces (lower s)
\S = only one character (capital S)
\s = only one space (lower s)
I am kind of lazy and that is how I use to create my regex but I think that you can use the notation that you like if that complies with regex and the best is if that works for you.

When I create a regex I use http://regexpal.com/ to test it, it is a really nice site.

[edwardsmarkf]

sergio - that website you shared looks like its more focused on jscript, while perl has a few extra regex extensions of its own.

but things seem to be working fine thanks to your help.

i have contacted the new pope to nominate you for sainthood. he told me you and i can call him Fran from now on.