ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

regex.custom.pm trigger trigger level and temporary value ignored

https://mail.forum.configserver.com/viewtopic.php?t=10415

Page 1 of 1

regex.custom.pm trigger trigger level and temporary value ignored

Posted: 19 Aug 2017, 18:55
by jmginer
Hello,


I have configured this regex.custom.pm

Code: Select all

# setup-config
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-admin\/setup-config\.php.*" /)) {
    return ("setup-config attack",$1,"setup-config","20","80,443","3600");
}
As you can see, the trigger level is 20
and the temporary value is 3600

But the block is done on 10 triggers and 1800 seconds

Code: Select all

Time:     Sat Aug 19 18:22:32 2017 +0200
IP:       x.x.x.x
Failures: 10 (setup-config)
Interval: 1800 seconds
Blocked:  Temporary Block
1800 is my LF_INTERVAL configured value, but, should not the defined value in regex.custom.pm value have priority?

How can I fix? it's a bug?

Thanks!!!

Re: regex.custom.pm trigger trigger level and temporary value ignored

Posted: 03 Sep 2017, 10:10
by Sergio
The rule doesn't look like it is well constructed,
How do you know what is inside Group 1?
It is very ambiguous to define "(\S+).*]" as you don't know what it will be saved in that group.

Please copy the full log line to see if that is not the error.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited