Page 1 of 2
Squid custom regex to filter login failure
Posted: 18 Feb 2014, 09:24
by Ilia
Dear guys,
Could you please help me to fix my regex to filter login failure from Squid. Its log line is:
Code: Select all
1392714132.861 0 1.2.3.4 TCP_DENIED/407 3922 CONNECT google.com:443 username HIER_NONE/- text/html
I need to catch
TCP_DENIED/407 part. Here is what I did in my
regex.custom.pm but it fails to catch it:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] TCP_DENIED\/407/)) {
return ("Failed Squid authentication from",$1,"SquidAuth","3","3128","604800");
}
What am I doing wrong here?
Please help.
Re: Squid custom regex to filter login failure
Posted: 18 Feb 2014, 17:55
by Sergio
Where in your error line is the " \[ " ?
The line that you are showing has:
1392714132.861 0 1.2.3.4 TCP_DENIED/407 3922 CONNECT google.com:443 username HIER_NONE/- text/html
So, the regex don't need any "\[" nor "\]" that doesn't exist. The regex should be something like this:
\S+\s+\d+\s+\S+ TCP_DENIED\/407 .*
Try not to use the caret "^".
You can check this regex against a list of errors on
http://regexpal.com/
Sergio
Re: Squid custom regex to filter login failure
Posted: 18 Feb 2014, 18:01
by Ilia
Thanks Sergio.
I just tested your example and the one I just made (
http://regex101.com/r/jC8aE7). They both match but it's still not working. LFD doesn't trigger the block?
After editing I restarted both. csf -r, lfd -r. added log 1 to .conf..
Not sure what is wrong.
Re: Squid custom regex to filter login failure
Posted: 18 Feb 2014, 18:05
by Sergio
Can you paste more lines of the errors that you want to block?
What is the log file where you are searching for these errors?
Re: Squid custom regex to filter login failure
Posted: 18 Feb 2014, 18:19
by Ilia
The log file is:
Code: Select all
CUSTOM1_LOG = "/var/log/squid/access.log"
The cutom regex is this (as after update):
Code: Select all
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ TCP_DENIED\/407 .*/)) {
return ("Failed Squid authentication from",$1,"SquidAuth","3","3128","604800");
}
The log lines are:
Code: Select all
1392714132.861 0 1.2.3.4 TCP_DENIED/407 3922 CONNECT google.com:443 username HIER_NONE/- text/html
1392714132.861 0 1.2.3.4 TCP_DENIED/407 3922 CONNECT www.google.com:80 username HIER_NONE/- text/html
Re: Squid custom regex to filter login failure
Posted: 18 Feb 2014, 18:34
by Ilia
Does it have to just match TCP_DENIED/407 or also match and extract an IP, for example:
http://regex101.com/r/qJ5wL4
If so no wonder it doesn't work?
Re: Squid custom regex to filter login failure
Posted: 18 Feb 2014, 18:51
by Sergio
By the way, it seems that LFD -r doesn't exist, you should use:
/etc/init.d/lfd restart
Re: Squid custom regex to filter login failure
Posted: 18 Feb 2014, 18:55
by Ilia
OHHH, NO!!! You're are right!! Thanks!! What ever you pass to lfd, like lfd -r or lfd -v, it returns nothing!
Now it got it to work!!
So much time wasted..
Re: Squid custom regex to filter login failure
Posted: 18 Feb 2014, 19:01
by Sergio
It is not wasted time, I called learning time
Re: Squid custom regex to filter login failure
Posted: 18 Feb 2014, 19:04
by Ilia
Yes, you are right! Thanks again!