ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

regex.custom.pm not triggering rule

https://mail.forum.configserver.com/viewtopic.php?t=7353

Page 1 of 1

regex.custom.pm not triggering rule

Posted: 22 Jan 2014, 17:18
by Sergio
Hi Jonathan / Sarah,
I have declared the following custom rule in regex.custom.pm and it is not working:

Code: Select all

	if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+dovecot\wlogin authenticator failed for \(ylmf\-pc/)) {
		return ("smtp_auth attack",$1,"SMTPYLMF","1","1");
	}
I have defined my CUSTOM2_LOG as /var/log/exim_rejectlog
I have double checked the regex syntax with different compilers and all of them have detected the follow lines that were copied from /var/log/exim_rejectlog:
2014-01-21 16:56:46 dovecot_login authenticator failed for (ylmf-pc) [59.50.173.179]:3266: 535 Incorrect authentication data
2014-01-21 20:02:14 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:4264: 535 Incorrect authentication data
2014-01-21 20:02:27 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:2062: 535 Incorrect authentication data
2014-01-21 20:02:37 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:2911: 535 Incorrect authentication data
2014-01-21 20:02:54 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:3473: 535 Incorrect authentication data
2014-01-21 20:03:05 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:4274: 535 Incorrect authentication data
2014-01-21 20:06:01 dovecot_login authenticator failed for (ylmf-pc) [68.48.205.69]:1715: 535 Incorrect authentication data
2014-01-22 09:09:24 dovecot_login authenticator failed for (ylmf-pc) [112.67.126.243]:1212: 535 Incorrect authentication data
2014-01-22 09:09:32 dovecot_login authenticator failed for (ylmf-pc) [112.67.126.243]:1466: 535 Incorrect authentication data
but regex.custom.pm has not been triggered.

Is there something that I am missing?

Your help is appreciated.

Regards,

Sergio

Re: regex.custom.pm not triggering rule

Posted: 23 Jan 2014, 09:30
by ForumAdmin
Your regex doesn't include detecting the IP address. Try, for example:

Code: Select all

/^\S+\s+\S+\s+dovecot_login authenticator failed for \(ylmf-pc\) \[(\S+)\]/

Re: regex.custom.pm not triggering rule

Posted: 23 Jan 2014, 16:42
by Sergio
Thanks for your reply, certainly I will try it right away.

The weird thing is that my other rules are working without adding that, I will post the results.

Regards,

Sergio

Re: regex.custom.pm not triggering rule

Posted: 23 Jan 2014, 20:03
by Sergio
It worked like a charm, thanks.

I will not forget to add the IP on future rules.

Regards,

Sergio
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited