Help with custom regex rules

[firewallman]

Thank you Sergio!

[Sergio]

That means it worked?

[firewallman]

That means it worked?

I don't know yet, but will let you know.

[firewallman]

Yes! The SETID custom regex rule is working now! It blocked one during the night. Thank you Sergio.

[lehels]

Greetings! @Sergio, or anyone - can you please advise on the following rule I have:

Code: Select all

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+) \S+ (\S+ )?\[(\S+)\](:)?(?:\S*)?(?:\s)?(?:\S*)?(?::)\d+ rejected EHLO or HELO ylmf-pc: HELO\/EHLO - blacklisted HELO/)) {
  return ("Failed SMTP from blacklisted HELO",$1,"ylmf","3","25","1");
}

CUSTOM2_LOG is set to /var/log/exim_rejectlog
LFD is watching it.

Sample logs:

Code: Select all

2015-08-10 02:33:49 [25984] H=(ylmf-pc) [IP_ADDRESS]:33378 rejected EHLO or HELO ylmf-pc: HELO/EHLO - blacklisted HELO
2015-08-10 02:33:51 [25986] H=(ylmf-pc) [IP_ADDRESS]:33379 rejected EHLO or HELO ylmf-pc: HELO/EHLO - blacklisted HELO
...

LFD still doesn't detects it.
I've also tried the following:

Code: Select all

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ / dovecot_plain authenticator failed for /)) {
  return ("Failed SMTP authentication",$1,"dovecotplain","3","25","1");
}

For:

Code: Select all

2015-08-10 03:39:11 [39521] dovecot_plain authenticator failed for () [IP_ADDRESS]:33942: 535 Incorrect authentication data (set_id=EMAIL_ADDRESS)
2015-08-10 03:39:18 [39521] dovecot_plain authenticator failed for () [IP_ADDRESS]:33942: 535 Incorrect authentication data (set_id=EMAIL_ADDRESS)
...

What am I missing?
I've tried updating both /usr/local/csf/bin/regex.custom.pm, and /etc/csf/regex.custom.pm too - restarting csf/lfd, nothing seems to make an effect for some reason. Thanks!

[Sergio]

Your rule:
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+) \S+ (\S+ )?\[(\S+)\](:)?(?:\S*)?(?:\s)?(?:\S*)?(?::)\d+ rejected EHLO or HELO ylmf-pc: HELO\/EHLO - blacklisted HELO/)) {
return ("Failed SMTP from blacklisted HELO",$1,"ylmf","3","25","1");
}

Will never match:
2015-08-10 02:33:49 [25984] H=(ylmf-pc) [IP_ADDRESS]:33378 rejected EHLO or HELO ylmf-pc: HELO/EHLO - blacklisted HELO

as the parameters are not well defined. As per example, you have:
rule:
^\S+\s+\S+\s+(\S+) \S+ (\S+ )?\
message:
2015-08-10 02:33:49 [25984]
and that don't match.

It should be:
rule:
^\S+\s+\S+\s+\[\S+\]

So, all the rule is not good for this message, you should start it over and make it to match.

Also, you have a lot "(" and ")" that are not escaped and the only "(" and ")" that don't have to be escaped are the ones that refer the IP that you want to block, as param $1 will get the info from the only ones not escaped. If you have a pair of "(" and ")" then you can have $1 and $2 and so on.

[lehels]

Thanks @Sergio, ok I may have not posted the right rule here - however I've tried with several other rules, which I'm sure do work, and I was able to confirm by simply adding an echo to a file command in {} before the return function, and the file got created.

So, if the regex is good - what would be the reason LFD wont do anything?

The return() looks good, right?

Code: Select all

return ("Failed SMTP from blacklisted HELO",$1,"ylmf","3","25","1");

(instead of 1, I've tried with eg. 300 too)

What else? How can I make sure, knowing I have a good regex that LFD would work, detect, block the IP and log to lfd.log?

Thanks much!

[Sergio]

- Post 3 log lines examples of what you want to block.
- Write the name of the log where you are getting these lines.
- Write the rule that you have created.
So, I can review what you have done.

[lehels]

I have two cases here, both seem to trigger the regex [the command before return() gets executed] - but LFD doesn't seems to log or do anything:

https://gist.github.com/lehels/5743226f19e7eb733277
https://gist.github.com/lehels/eee1bb86ba96d2ff5ec9

[lehels]

Let me know of you get a chance to take a look on it @Sergio, really appreciated. Thanks,