Page 1 of 1

regex for URI not URL

Posted: 29 Oct 2019, 15:18
by bulgin23
Hello.

I have a regex that I'm trying to modify for regex.custom.pm so when the server (not a user clicks) redirects to a specific page (which is logged in /var/log/apache2/access.log), after x number of attempts, it blocks that IP.

The purpose is to block bots attempting to hack a "token entry" form and currently, due to the software used, a failure with the form does not get logged in error_log but rather access_log.

Question: how to put multiple multiple custom log files in regex.custom.pm and what is the sytax for a redirect?

I currently have a working command (thanks to this forum) for another purpose in regex.custom.pm, which is this;

Code: Select all

if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(wp-login|xmlrpc).*/)) {
                return ("WP whacker",$1,"WP_whacker","1","","86400");
        }
I now need to have csf read custom1_log which references /var/log/apache2/access_log for an entry of
"domain.com/index.php/fault", so I added the following to the regex.custom.pm but it's not working (I'm not an expert on regex, as you will see):

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(fault).*/)) {
                return ("token whacker",$1,"token_whacker","3","","86400");
        }
Any help much appreciated.

Re: regex for URI not URL

Posted: 01 Nov 2019, 06:24
by BallyBasic79
Please post a few example log lines which show what you are trying to match.

Re: regex for URI not URL

Posted: 01 Nov 2019, 15:08
by bulgin23
Thank you BallyBasic79.

Here is a snippet of access.log

127.0.0.1 - - [01/Nov/2019:11:03:38 -0400] "GET /thething/index.php/badboy HTTP/1.1" 200 3519 "http://localhost/thething/index.php/tokenshang" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0"

it's the keyword "badboy" that is unique to this call.

Re: regex for URI not URL

Posted: 01 Nov 2019, 18:42
by BallyBasic79
You will be empowered by some study in pattern matching and regular expressions. Here, the offending IP starts the log string which also contains the target keyword.

You can see how to match that and capture the IP address with this interactive regex tool:
https://rubular.com/r/EvW0POJTwizNM9

Re: regex for URI not URL

Posted: 02 Nov 2019, 01:17
by bulgin23
Thanks for the pointers - it works!!!!!

My only lingering question is what is the formatting for multiple rules in one regex.custom.pm?

for example, I need two rules are they simply inserted into the .pm file as so, just one right after the other?
==========================================================
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(wp-login|xmlrpc).*/)) {
return ("WP whacker",$1,"WP_whacker","1","","86400");
}
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\d+\.\d+\.\d+\.\d+).*index\.php\/badboy/)) {
return ("badboy",$1,"bad_boy","3","","86400");
}
=========================================================

Re: regex for URI not URL

Posted: 02 Nov 2019, 01:33
by BallyBasic79
Nice job!

Each rule checks a specific log for a specific pattern match and captures the IP. It returns a comment, the IP, a rule name, and specifies trigger level, ports to block (opt), temp/perm, cloudflare.

Each rule is very specific to a set of conditions and results so you will likely need one rule each. Presently, I have 12 different rules in one installation.

But it is possible to combine several rules in one where the conditions and results are the same and the pattern match is nearly identical. In the WP_whacker example you cited, I combined two conditions into one rule with the use of (wp-login|xmlrpc). This matches lines that contain (either) wp-login or(|) xmlrpc. Basically same log line, same conditions, same result, just different keyword.

Follow?

Re: regex for URI not URL

Posted: 02 Nov 2019, 02:11
by bulgin23
Thank you - I couldn't have done it without your guiding hand!

So placing two rules, one after the other as I've indicated in the post, above, is fine? When I say "two rules" I don't mean for example, (wp-login|xmlrpc), I mean stanzas - the (wp-login|xmlrpc) stanza directly above the badboy stanza.

Re: regex for URI not URL

Posted: 02 Nov 2019, 06:52
by BallyBasic79
Yes, stack them up. Be sure to keep the syntax of each statement complete. Essentially:

Code: Select all

if ( ... ) {
	return ( ... );
}