Need some help with regex.custom.pm.

[Wil Scarlet]

I am trying to get the following to work under one rule:

Code: Select all

Jun 19 09:36:02 SERVER wp(SITE)[20246]: Authentication attempt for unknown user Admin from IP
Jun 20 19:03:38 SERVER wp(SITE)[2740]: XML-RPC authentication failure from IP
Jun 20 08:13:55 SERVER wp(SITE)[9518]: Authentication failure for admin from IP
Jun 21 14:49:46 SERVER wordpress(SITE)[14990]: XML-RPC authentication failure for admin from IP
Jun 21 14:49:48 SERVER wordpress(SITE)[14995]: Authentication failure for admin from IP

SERVER is the hostanme, SITE is the sites domain name, and IP is the IP address from the attacker.

So the following works when testing from perl itself (testing concept borrowed from another post):

Code: Select all

#!/usr/local/cpanel/3rdparty/bin/perl
#$line = 'Jun 21 14:49:46 SERVER wordpress(SITE)[14990]: XML-RPC authentication failure for admin from IP';
#$line = 'Jun 20 08:14:31 SERVER wp(globalmotherdivine.org)[9711]: Authentication failure for daiello from IP';
#$line = 'Jun 19 09:36:02 SERVER wp(fairfieldinfocenter.org)[20246]: Authentication attempt for unknown user Admin from IP';
$line = 'Jun 20 19:03:38 SERVER wp(SITE)[2740]: XML-RPC authentication failure from IP';

if ( ($line =~ /w(ord)?p(ress)?.*: (XML-RPC )?(A|a)uthentication failure (for( unknown user)? .* )?from (\S+)/)) {
  print ("Failed wp-login.php login from",$1,"wp-login.php","1","80","60");
}

But when I place the following line in regex.custom.pm it doesn't work:

Code: Select all

if (($lgfile eq $config{SYSLOG_LOG}) and ($line =~ /w(ord)?p(ress)?.*: (XML-RPC )?(A|a)uthentication failure (for( unknown user)? .* )?from (\S+)/)) {
      return ("Failed WordPress login from",$1,"wordpressbf","5","80,443","3600");
}

Regex is not my strong suite and I would appreciate some help. If more information is needed, just let me know.

[NotLim]

Try with:

Code: Select all

# WP
        if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\w{3}\ \d{2}\ \d{2}\:\d{2}\:\d{2}\ SERVER (wp|wordpress)\(.*\)\[\d+\]\:\ .*\ from\ (\S+)$/)) {
                        return ("Failed WordPress login from",$2,"wordpressbf","5","80;tcp,443;tcp","3600");
        }

I did the tests with:

Code: Select all

Jun 19 09:36:02 SERVER wp(globalmotherdivine.org)[20246]: Authentication attempt for unknown user Admin from 1.2.3.4
Jun 20 19:03:38 SERVER wp(asdsasadsa.me)[2740]: XML-RPC authentication failure from 2.3.4.5
Jun 20 08:13:55 SERVER wp(www.adssadsasda.es)[9518]: Authentication failure for admin from 3.4.5.6
Jun 21 14:49:46 SERVER wordpress(sdasadsa.tld)[14990]: XML-RPC authentication failure for admin from 4.5.6.7
Jun 21 14:49:48 SERVER wordpress(sadsasda.ar)[14995]: Authentication failure for admin from 7.8.9.1

remember to set CUSTOM_LOG1

[Sergio]

Your rule was fine, just the $1 was not set properly.
In this type of REGEX rules each paif of ( ) is one definition or $n, so, you have 7 pairs of "( )" or $1 to $7 and the one that has the IP number is the $7, so, just change $1 for $7 in your REGEX like this:

if (($lgfile eq $config{SYSLOG_LOG}) and ($line =~ /w(ord)?p(ress)?.*: (XML-RPC )?(A|a)uthentication failure (for( unknown user)? .* )?from (\S+)/)) {
return ("Failed WordPress login from",$7,"wordpressbf","5","80,443","3600");
}

You can stream down definitions if you use "/i" at the of your REGEX, "/i" means that capitalized doesn't matter, so, you can have a better REGEX like this:

if (($lgfile eq $config{SYSLOG_LOG}) and ($line =~ /w(ord)?p(ress)?.*: (XML-RPC )?Authentication failure (for( unknown user)? .* )?from (\S+)/i)) {
return ("Failed WordPress login from",$6,"wordpressbf","5","80,443","3600");
}

You can stream down more your regex using ".*" like this:

if (($lgfile eq $config{SYSLOG_LOG}) and ($line =~ /w(ord)?p(ress)?.*: (XML-RPC )?Authentication failure.*from (\S+)/i)) {
return ("Failed WordPress login from",$4,"wordpressbf","5","80,443","3600");
}

If you see on this last one, I have narrowed from 7 definitions up to 4.

Sergio

[sbdigitalstudio]

it easy to understand just go with the users manual and if some more issues are there than say that main issue and we will answer you