ConfigServer Community Forum

Hi,

I wrote a small regex to help me identify ip addresses trying to access my system (hackers) and block them.

For some reason it's not working but the regex was tested and it returned matching results. I'm not sure what I'm missing please help.


Here's the regex I wrote:
# Added for Freeswitch
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^.*?\[WARNING\] sofia_reg.c:(.*?) SIP auth failure \(REGISTER\) on sofia profile '(.*?)' for \[(.*?)\] from ip (\d+\.\d+\.\d+\.\d+){
return ("SIP auth failure on interface" $1 for user $2",$3,"freeswitch","5","5060","600");
}

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^.*?\[WARNING\] sofia_reg.c:(.*?) SIP auth failure \(REGISTER\) on sofia profile '(.*?)' for \[(.*?)\] from ip (\d+\.\d+\.\d+\.\d+){
return ("SIP auth failure on interface $1 for user $2",$3,"freeswitch","5","5060","600");
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^.*?\[WARNING\] sofia_reg.c:(.*?) Can't find user \[(.*?)\] from (\d+\.\d+\.\d+\.\d+) {
return ("Cant find user on interface" ,$1, "freeswitch","1","5060","10");

}

# End Freeswitch firewall regex

solved,

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^.*?\[WARNING\] sofia_reg.c:1481 SIP auth failure \(REGISTER\) on sofia profile '(.*?)' for \[(.*?)\] from ip (\d+\.\d+\.\d+\.\d+)$/)) {
return ("SIP auth failure on interface $1 for user $2",$3,"freeswitch","2","5060","1");
}


if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^.*?\[WARNING\] sofia_reg.c:2554 Can't find user \[(.*?)\] from ip (\d+\.\d+\.\d+\.\d+)$/)) {
return ("SIP auth failure on interface $1 for user $2",$3,"freeswitch","2","5060","1");
}