Help with custom regex rules

firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

I just made them so it is too early to tell yet.

The YLMF-PC change you gave me yesterday works!
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

Good to know.
Let me know if the recent changes worked for you.
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

Sergio, everything works fine! The modified rules worked for courier, and yesterday I converted to dovecot and they work for dovecot also!

Thank you very much for your help.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

no problem.
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

Sergio I may have spoke too soon. It seems that dovecot logs slightly different for the set_id failures than courier did on my server.

Would you take a look at these two log lines from failed set_id logins and see if you can adapt your SETID custom rule to it?

2015-06-16 16:01:56 [31120] dovecot_login authenticator failed for 173.192.176.184-static.reverse.softlayer.com ([10.100.1.6]) [173.192.176.184]:57853 I=[69.xxx.xxx.xxx]:587: 535 Incorrect authentication data (set_id=test@domainname.com)

2015-06-16 14:41:40 [18074] dovecot_login authenticator failed for (USER) [134.19.215.226]:52876 I=[69.xxx.xxx.xxx]:25: 535 Incorrect authentication data (set_id=test@anotherdomain.com)


Your custom rule I am trying to use:

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=(a|aaaaaa|aamaro|aaron|abc1?2?3?|abel?|access|accounti?n?g?s?|acer?|b?e?s?admi?n?|administracion1|advent|advertising|agency|antigua|apple|asus|avahi|bank|ba?c?kupe?p?p?c?x?e?c?|bbuser|benq|biblioteca|bill|business|bux|carlos|charles|ciclobasico|clamav|clevo|clients?|comenta?|compaq|confirm|confixx|consult|contactu?s?|controller|copier|customer|cvsadmin|cvsroot|cyrus|daemon|data|david|dbadmin|demo|dell|dialer|director|dnscache|doctor|doel|download|drweb|edi|edition|edu|esalguero|estudioazurdia|everest|expe?o?rt|falcon|fax|finance|franciscos|ftp|ftpuser|fujitsu|games|gigabyte|gonzalo.mejia|guest|helpdesk|holding|home|hp|ibm|ice|iloveyou|imac|info|install|internet|iphone|jabber|jc|jefaturaventas|jeremy|jgarcia|job|john|jorge|jude|kattytoc|kim|laboratorio|ldap|lenovo|lsarmiento|lschoenstedt|manager|margarita|marketing|monkey|mpalma|municipal|multimedia|news|newsletter|nobody|office|pastores|pos|postmaster|princess|printer|PXF.info|reception|sales|samsung|scann?e?r?|security|shadow|shop|spam|student|sunshine|support|sys|tech|temp|test1?u?s?e?r?|toshiba|training|user1?s?|wzarate|xerox)\)/)) {
return ("smtp_auth attack",$1,"SecmasSETID","1","1");
}
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

As I said before, you have to modify the regex for this to work, replace this:
/\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=

by this:
/\S+\s+\S+\s+.*_login authenticator failed for.*\(\[?\S+\]?\) \[(\S+)\]:\d+.*Incorrect authentication data \(set_id=

You already made the modification, continue using the rules with the changes I suggested.

Sergio
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

Sergio wrote:As I said before, you have to modify the regex for this to work, replace this:
/\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=

by this:
/\S+\s+\S+\s+.*_login authenticator failed for.*\(\[?\S+\]?\) \[(\S+)\]:\d+.*Incorrect authentication data \(set_id=

You already made the modification, continue using the rules with the changes I suggested.

Sergio
Hmmm, I already had it that way and the two log lines from yesterday that I just posted got by it.

I only re-posted your original SETID rule so you would know which one I was referring to. I had already made the previous changes you suggested.

Below is what I have now and have had since you gave me the modification last week and it appears to be identical to what you just posted:


if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+.*_login authenticator failed for.*\(\[?\S+\]?\) \[(\S+)\]:\d+.*Incorrect authentication data \(set_id=(a|aaaaaa|aamaro|aaron|abc1?2?3?|abel?|access|accounti?n?g?s?|acer?|b?e?s?admi?n?|administracion1|advent|advertising|agency|antigua|apple|asus|avahi|bank|ba?c?kupe?p?p?c?x?e?c?|bbuser|benq|biblioteca|bill|business|bux|carlos|charles|ciclobasico|clamav|clevo|clients?|comenta?|compaq|confirm|confixx|consult|contactu?s?|controller|copier|customer|cvsadmin|cvsroot|cyrus|daemon|data|david|dbadmin|demo|dell|dialer|director|dnscache|doctor|doel|download|drweb|edi|edition|edu|esalguero|estudioazurdia|everest|expe?o?rt|falcon|fax|finance|franciscos|ftp|ftpuser|fujitsu|games|gigabyte|gonzalo.mejia|guest|helpdesk|holding|home|hp|ibm|ice|iloveyou|imac|info|install|internet|iphone|jabber|jc|jefaturaventas|jeremy|jgarcia|job|john|jorge|jude|kattytoc|kim|laboratorio|ldap|lenovo|lsarmiento|lschoenstedt|manager|margarita|marketing|monkey|mpalma|municipal|multimedia|news|newsletter|nobody|office|pastores|pos|postmaster|princess|printer|PXF.info|reception|sales|samsung|scann?e?r?|security|shadow|shop|spam|student|sunshine|support|sys|tech|temp|test|test1?u?s?e?r?|toshiba|training|user1?s?|wzarate|xerox)\)/)) {
return ("smtp_auth attack",$1,"SecmasSETID","1","1");
}

Here are the two log lines that the above didn't catch:


2015-06-16 16:01:56 [31120] dovecot_login authenticator failed for 173.192.176.184-static.reverse.softlayer.com ([10.100.1.6]) [173.192.176.184]:57853 I=[69.xxx.xxx.xxx]:587: 535 Incorrect authentication data (set_id=test@domainname.com)

2015-06-16 14:41:40 [18074] dovecot_login authenticator failed for (USER) [134.19.215.226]:52876 I=[69.xxx.xxx.xxx]:25: 535 Incorrect authentication data (set_id=test@anotherdomain.com)
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

Ok,if you see the sample logs in my regex it shows:
2014-02-18 14:53:52 dovecot_login authenticator failed for (127.0.0.1) [67.222.134.114]:51435: 535 Incorrect authentication data (set_id=admin)
2014-02-20 11:45:27 dovecot_login authenticator failed for (127.0.0.1) [67.222.134.215]:64421: 535 Incorrect authentication data (set_id=admin)
So, this rule will only catch "(set_id=test)" without an "@.....", and your log lines shows:
2015-06-16 16:01:56 [31120] dovecot_login authenticator failed for 173.192.176.184-static.reverse.softlayer.com ([10.100.1.6]) [173.192.176.184]:57853 I=[69.xxx.xxx.xxx]:587: 535 Incorrect authentication data (set_id=test@domainname.com)
2015-06-16 14:41:40 [18074] dovecot_login authenticator failed for (USER) [134.19.215.226]:52876 I=[69.xxx.xxx.xxx]:25: 535 Incorrect authentication data (set_id=test@anotherdomain.com)
If you want the rule to block your logs, change this:
|xerox)\)/)) to |xerox)\@/))
you have to be careful as this could give a lot of FP.

Sergio
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

So changing |xerox)\)/)) to |xerox)\@/)) will match any domain name after the @ that has one of the setids listed in the array?
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

yes, right.
Post Reply