custom rules doesn't work.

Post Reply
stormsurfer
Junior Member
Posts: 2
Joined: 25 Jun 2016, 11:03

custom rules doesn't work.

Post by stormsurfer »

hello

regex.custom.pm has:

Code: Select all

        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /ModSecurity.*Warning. Operator GT matched 3 at IP/)) {
                return ("mod_security wp_login triggered by",$1,"wplogin","1","80,443","1");
        }
        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS/)) {
                return ("mod_security wp_login triggered by",$1,"wplogin","3","80,443","1");
        }
csf.conf has CUSTOM1_LOG=/usr/local/apache/logs/error_log


and the log file has this 2 entries:
[Sat Jun 25 12:58:51.220882 2016] [:error] [pid 203056:tid 140331022472960] [client 180.150.230.16] ModSecurity: Warni Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec/12_asl_brute.conf"] [line "61"] [id "377"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "CRCAL"] [tag "no_ar"] [hostname "hashvil.com"] [uri "/wp-login.php"] [unique_id "V25V2cBzH1wAAxkwthQAAAEV"]
[Sat Jun 25 12:58:51.209737 2016] [:error] [pid 231688:tid 140331085412096] [client 180.150.230.16] ModSecurity: Warni Operator GT matched 3 at IP:bf_counter. [file "/usr/local/apache/conf/modsec/wp_brute.conf"] [line "11"] [id "10013"]ostname "hashvil.co.il"] [uri "/wp-login.php"] [unique_id "V25V2cBzH1wAA4kI3QQAAAFP"]
it should have blocked the second quota on the third accourance and the first quota on the first accourance but it doesn't.

I restarted lfd after changes.
stormsurfer
Junior Member
Posts: 2
Joined: 25 Jun 2016, 11:03

Re: custom rules doesn't work.

Post by stormsurfer »

never mind, I changed the regex to:

/\[client (\d+\.\d+\.\d+\.\d+)\] ModSecurity.*Warning. Operator GT matched 3 at IP/)

now it works.
Post Reply