REGEX needed to block VULN ATTACKS upload&pass=wcwc2016&login=go

[ntrance]

In my log file I have seen someone to brute a lot of vulns, there are over 256 entries, but they only try twice for each attack, then try another vuln.

However the string of

Code: Select all

"x=upload&mode=upload&upload=&ssp=RfVbHu&u=&action=upload&chdir=./&do=upload&pass=wcwc2016&login=go%21&H= "

is always present.

Code: Select all

"GET /images/stories/a.php?x=upload&mode=upload&upload=&ssp=RfVbHu&u=&action=upload&chdir=./&do=upload&pass=wcwc2016&login=go%21&H= HTTP/1.1" 404 36553 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

What regex do I need to block this attack on the first attempt. i.e if it detects the first code block string regardless of path.

I have already got the WP LOGIN and XMLRPC added to regex.custom.pm from this forum.
I am just not savy enough to create my own regex.

Thanks.

[Sergio]

To help you, you should copy the exact log line to know how to create a rule.
Also, you should tell the name of the log where you are getting the log line.

[ntrance]

Hi Sergio,

The 2nd quote is the log line from the file, I just want to detect whats in the first quote in the domlogs and then instantly ban the person trying to exploit.

Thanks for helping.

[Sergio]

CSF doesn't work like this. CSF is an IP FireWall that means that what you will block is an IP not an account or user.

The log lines should include an IP address and what you provided doesn't show any iP.