custom regex seems not working

Post Reply
sauvegardezvous99
Junior Member
Posts: 9
Joined: 27 Nov 2014, 01:29

custom regex seems not working

Post by sauvegardezvous99 »

hello there,

I have a server with custom regexp, but the regexp seems not able to be applied.

Am I forget something ?

CUSTOM2_LOg = "var/log/exim/reject.log"

regex example:

Code: Select all

#!/usr/bin/perl
###############################################################################
# Copyright 2006-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
sub custom_line {
	my $line = shift;
	my $lgfile = shift;

# Do not edit before this point
###############################################################################
#
# Custom regex matching can be added to this file without it being overwritten
# by csf upgrades. The format is slightly different to regex.pm to cater for
# additional parameters. You need to specify the log file that needs to be
# scanned for log line matches in csf.conf under CUSTOMx_LOG. You can scan up
# to 9 custom logs (CUSTOM1_LOG .. CUSTOM9_LOG)
#
# The regex matches in this file will supercede the matches in regex.pm
#
# Example:
#	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
#		return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
#	}
#
# The return values from this example are as follows:
#
# "Failed myftpmatch login from" = text for custom failure message
# $1 = the offending IP address
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
# "5" = the trigger level for blocking
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled







#Rules for match with: 
#2016-06-07 08:55:53 [5140] dovecot_plain authenticator failed for ([100.107.55.xxx]) [204.48.95.xxx]:1803 I=[149.56.133.xxx]:587: 535 Incorrect authentication data (set_id=jfgxxxxx@mj5coxxxxxxxion.com)
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^.+dovecot_plain.+ \[(\S+)\].*/))  {

  return ("Failed dovecot_plain authenticator failed from",$1,"crackdepirate","1","1");

}


















# If the matches in this file are not syntactically correct for perl then lfd
# will fail with an error. You are responsible for the security of any regex
# expressions you use. Remember that log file spoofing can exploit poorly
# constructed regex's
###############################################################################
# Do not edit beyond this point

	return 0;
}

1;
thank you for any tips.
Top
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: custom regex seems not working

Post by Sergio »

Have you restarted LFD after you saved the regex?
Top
Post Reply

Return to “General Discussion (csf)”