Help with custom regex rules

Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

Sorry for the delay, I have been busy setting up my new server.

Lehels, your regex rule is no good, the "echo" will be triggered any time and is not a good indicator that your rule "is working", as it is not.

As I said before, you need to escape all the "(" and ")" and only left one pair not escaped that the regex rule will call $1.

Code: Select all

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?(\S+) authenticator failed for \S+ (.*)?\[(\S+)\](:\S*:?)? 535 Incorrect authentication data (\(set_id=(\S+)\))?/)) {
      `echo "IS MATCHED" > /tmp/test`;
      return ("Failed SMTP authentication",$1,"dovecotplain","5","25","1");
}
Look at your code and tell me, How many not escaped pairs "()" are?
Which one contains the IP that you want to block?
I recommend you to delete the "echo" line as it is not a way to tell if the rule is working or not.
lehels
Junior Member
Posts: 27
Joined: 09 Jul 2007, 07:58

Re: Help with custom regex rules

Post by lehels »

Indeed, worked great @Sergio - thanks much!
- the following two worked out for me:

Code: Select all

/^\S+\s+\d+\S+ \[\d+\] H\=\(ylmf\-pc\) \[(\S+)\](:\S*:?) rejected EHLO or HELO ylmf\-pc\: HELO\/EHLO \- blacklisted HELO/

/^\S+\s+\d+\S+ \[\d+\] dovecot\_plain authenticator failed for \(.*\) \[(\S+)\](:\S*:?)? 535 Incorrect authentication data \(set\_id\=(\S+)\)/
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

Great!! glad it worked.

Sergio
Post Reply