Re: Help with custom regex rules
Posted: 18 Jun 2015, 00:38
Thank you Sergio!
ConfigServer Community Forum
Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/
Help with custom regex rules
Page 4 of 5
Re: Help with custom regex rules
Posted: 18 Jun 2015, 01:55
That means it worked?
Re: Help with custom regex rules
Posted: 18 Jun 2015, 02:08
I don't know yet, but will let you know.Sergio wrote:That means it worked?
Re: Help with custom regex rules
Posted: 18 Jun 2015, 12:57
Yes! The SETID custom regex rule is working now! It blocked one during the night. Thank you Sergio.
Re: Help with custom regex rules
Posted: 13 Aug 2015, 09:37
Greetings! @Sergio, or anyone - can you please advise on the following rule I have:
CUSTOM2_LOG is set to /var/log/exim_rejectlog
LFD is watching it.
Sample logs:
LFD still doesn't detects it.
I've also tried the following:
For:
What am I missing?
I've tried updating both /usr/local/csf/bin/regex.custom.pm, and /etc/csf/regex.custom.pm too - restarting csf/lfd, nothing seems to make an effect for some reason. Thanks!
Code: Select all
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+) \S+ (\S+ )?\[(\S+)\](:)?(?:\S*)?(?:\s)?(?:\S*)?(?::)\d+ rejected EHLO or HELO ylmf-pc: HELO\/EHLO - blacklisted HELO/)) {
return ("Failed SMTP from blacklisted HELO",$1,"ylmf","3","25","1");
}LFD is watching it.
Sample logs:
Code: Select all
2015-08-10 02:33:49 [25984] H=(ylmf-pc) [IP_ADDRESS]:33378 rejected EHLO or HELO ylmf-pc: HELO/EHLO - blacklisted HELO
2015-08-10 02:33:51 [25986] H=(ylmf-pc) [IP_ADDRESS]:33379 rejected EHLO or HELO ylmf-pc: HELO/EHLO - blacklisted HELO
...
I've also tried the following:
Code: Select all
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ / dovecot_plain authenticator failed for /)) {
return ("Failed SMTP authentication",$1,"dovecotplain","3","25","1");
}Code: Select all
2015-08-10 03:39:11 [39521] dovecot_plain authenticator failed for () [IP_ADDRESS]:33942: 535 Incorrect authentication data (set_id=EMAIL_ADDRESS)
2015-08-10 03:39:18 [39521] dovecot_plain authenticator failed for () [IP_ADDRESS]:33942: 535 Incorrect authentication data (set_id=EMAIL_ADDRESS)
...
I've tried updating both /usr/local/csf/bin/regex.custom.pm, and /etc/csf/regex.custom.pm too - restarting csf/lfd, nothing seems to make an effect for some reason. Thanks!
Re: Help with custom regex rules
Posted: 22 Aug 2015, 16:30
Your rule:
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+) \S+ (\S+ )?\[(\S+)\](:)?(?:\S*)?(?:\s)?(?:\S*)?(?::)\d+ rejected EHLO or HELO ylmf-pc: HELO\/EHLO - blacklisted HELO/)) {
return ("Failed SMTP from blacklisted HELO",$1,"ylmf","3","25","1");
}
Will never match:
2015-08-10 02:33:49 [25984] H=(ylmf-pc) [IP_ADDRESS]:33378 rejected EHLO or HELO ylmf-pc: HELO/EHLO - blacklisted HELO
as the parameters are not well defined. As per example, you have:
rule:
^\S+\s+\S+\s+(\S+) \S+ (\S+ )?\
message:
2015-08-10 02:33:49 [25984]
and that don't match.
It should be:
rule:
^\S+\s+\S+\s+\[\S+\]
So, all the rule is not good for this message, you should start it over and make it to match.
Also, you have a lot "(" and ")" that are not escaped and the only "(" and ")" that don't have to be escaped are the ones that refer the IP that you want to block, as param $1 will get the info from the only ones not escaped. If you have a pair of "(" and ")" then you can have $1 and $2 and so on.
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+) \S+ (\S+ )?\[(\S+)\](:)?(?:\S*)?(?:\s)?(?:\S*)?(?::)\d+ rejected EHLO or HELO ylmf-pc: HELO\/EHLO - blacklisted HELO/)) {
return ("Failed SMTP from blacklisted HELO",$1,"ylmf","3","25","1");
}
Will never match:
2015-08-10 02:33:49 [25984] H=(ylmf-pc) [IP_ADDRESS]:33378 rejected EHLO or HELO ylmf-pc: HELO/EHLO - blacklisted HELO
as the parameters are not well defined. As per example, you have:
rule:
^\S+\s+\S+\s+(\S+) \S+ (\S+ )?\
message:
2015-08-10 02:33:49 [25984]
and that don't match.
It should be:
rule:
^\S+\s+\S+\s+\[\S+\]
So, all the rule is not good for this message, you should start it over and make it to match.
Also, you have a lot "(" and ")" that are not escaped and the only "(" and ")" that don't have to be escaped are the ones that refer the IP that you want to block, as param $1 will get the info from the only ones not escaped. If you have a pair of "(" and ")" then you can have $1 and $2 and so on.
Re: Help with custom regex rules
Posted: 03 Sep 2015, 13:42
Thanks @Sergio, ok I may have not posted the right rule here - however I've tried with several other rules, which I'm sure do work, and I was able to confirm by simply adding an echo to a file command in {} before the return function, and the file got created.
So, if the regex is good - what would be the reason LFD wont do anything?
The return() looks good, right?
(instead of 1, I've tried with eg. 300 too)
What else? How can I make sure, knowing I have a good regex that LFD would work, detect, block the IP and log to lfd.log?
Thanks much!
So, if the regex is good - what would be the reason LFD wont do anything?
The return() looks good, right?
Code: Select all
return ("Failed SMTP from blacklisted HELO",$1,"ylmf","3","25","1");What else? How can I make sure, knowing I have a good regex that LFD would work, detect, block the IP and log to lfd.log?
Thanks much!
Re: Help with custom regex rules
Posted: 03 Sep 2015, 14:24
- Post 3 log lines examples of what you want to block.
- Write the name of the log where you are getting these lines.
- Write the rule that you have created.
So, I can review what you have done.
- Write the name of the log where you are getting these lines.
- Write the rule that you have created.
So, I can review what you have done.
Re: Help with custom regex rules
Posted: 07 Sep 2015, 08:09
I have two cases here, both seem to trigger the regex [the command before return() gets executed] - but LFD doesn't seems to log or do anything:
https://gist.github.com/lehels/5743226f19e7eb733277
https://gist.github.com/lehels/eee1bb86ba96d2ff5ec9
https://gist.github.com/lehels/5743226f19e7eb733277
https://gist.github.com/lehels/eee1bb86ba96d2ff5ec9
Re: Help with custom regex rules
Posted: 09 Sep 2015, 14:13
Let me know of you get a chance to take a look on it @Sergio, really appreciated. Thanks,
Thanks,