regex.custom.pm trigger trigger level and temporary value ignored

Post Reply
jmginer
Junior Member
Posts: 13
Joined: 18 Feb 2015, 20:46

regex.custom.pm trigger trigger level and temporary value ignored

Post by jmginer »

Hello,


I have configured this regex.custom.pm

Code: Select all

# setup-config
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-admin\/setup-config\.php.*" /)) {
    return ("setup-config attack",$1,"setup-config","20","80,443","3600");
}
As you can see, the trigger level is 20
and the temporary value is 3600

But the block is done on 10 triggers and 1800 seconds

Code: Select all

Time:     Sat Aug 19 18:22:32 2017 +0200
IP:       x.x.x.x
Failures: 10 (setup-config)
Interval: 1800 seconds
Blocked:  Temporary Block
1800 is my LF_INTERVAL configured value, but, should not the defined value in regex.custom.pm value have priority?

How can I fix? it's a bug?

Thanks!!!
Sergio
Junior Member
Posts: 1714
Joined: 12 Dec 2006, 14:56

Re: regex.custom.pm trigger trigger level and temporary value ignored

Post by Sergio »

The rule doesn't look like it is well constructed,
How do you know what is inside Group 1?
It is very ambiguous to define "(\S+).*]" as you don't know what it will be saved in that group.

Please copy the full log line to see if that is not the error.
Post Reply