Regex Rule for Asterisk

[leozim]

Hi,

I'm starting make a rule to csf block ips of fail on asterisk SIP user login.

This is line of log:

[Apr 10 14:01:18] NOTICE[16683] chan_sip.c: Registration from '"8260" <sip:8260@111.111.111.111:5060>' failed for '2.2.2.2:5075' - No matching peer found

111.111.111.111 is asterisk server ip
2.2.2.2 is a source of attack ip

log file: /var/log/asterisk/full

I create this regex, but on my testes not work?

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] NOTICE\[\S+\] chan_sip\.c: Registration from \'\"\S+\" <sip:\S+\@\S+>\' failed for \'\S+\:\S+' - No matching peer found/)) {
return ("Error Sip Autentication",$1,"SIPRegistrationFailed","1","1");
}

on csf.conf:
CUSTOM3_LOG = "/var/log/asterisk/full"


Anybody can help-me?

Thanks

[Sergio]

Try this:

Code: Select all

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /\[\S+\] NOTICE\[\S+\] chan_sip\.c: Registration from \'\"\S+\" <sip:\S+\@\S+>\' failed for \'(\S+)\:\S+' - No matching peer found/)) {
return ("Error Sip Autentication",$1,"SIPRegistrationFailed","1","1");
}

and let me know if it works.