csf.logignore help with expressions
Posted: 08 Apr 2015, 20:52
I am not great at doing regular expressions to suppress certain messages from appearing in my hourly logs. Since I upgraded the servers to CloudLinux, I am seeing a slew of these messages and would like to remove them from the log. According to Sarah, I need to add an ignore in the csg.logignore which will not stop CSF from blocking or handling these threats, but it will remove it from the hourly emails I get from CSF.
If anyone can please help and let me know what rule I should put into csf.logignore to remove these it would be greatly appreciated.
Entries in the /var/log/messages I would like to suppress from the hourly LOG emails are as follows. I would assume if I just had a rule to suppress these strings if existed in the log entry it would work fine.
"Firewall: *TCP_IN Blocked"
"Firewall: *UDP_IN Blocked"
Apr 8 14:00:23 server kernel: [4440465.843101] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:25:90:30:32:1c:00:11:bc:c2:10:00:08:00 SRC=213.230.80.135 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=5539 DF PROTO=TCP SPT=28916 DPT=8889 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 8 14:00:31 server kernel: [4440474.116443] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:25:90:30:32:1c:00:11:bc:c2:10:00:08:00 SRC=78.176.98.149 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=26153 DF PROTO=TCP SPT=21612 DPT=8889 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 8 14:00:46 server kernel: [4440489.176088] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:25:90:30:32:1c:00:11:bc:c2:10:00:08:00 SRC=78.176.98.149 DST=xx.xx.xx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=27578 DF PROTO=TCP SPT=21891 DPT=8889 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 8 14:01:14 server kernel: [4440516.934576] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:25:90:30:32:1c:00:11:bc:c2:10:00:08:00 SRC=192.3.194.138 DST=xx.xx.xx.xx LEN=220 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=UDP SPT=39736 DPT=123 LEN=200
If anyone can please help and let me know what rule I should put into csf.logignore to remove these it would be greatly appreciated.
Entries in the /var/log/messages I would like to suppress from the hourly LOG emails are as follows. I would assume if I just had a rule to suppress these strings if existed in the log entry it would work fine.
"Firewall: *TCP_IN Blocked"
"Firewall: *UDP_IN Blocked"
Apr 8 14:00:23 server kernel: [4440465.843101] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:25:90:30:32:1c:00:11:bc:c2:10:00:08:00 SRC=213.230.80.135 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=5539 DF PROTO=TCP SPT=28916 DPT=8889 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 8 14:00:31 server kernel: [4440474.116443] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:25:90:30:32:1c:00:11:bc:c2:10:00:08:00 SRC=78.176.98.149 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=26153 DF PROTO=TCP SPT=21612 DPT=8889 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 8 14:00:46 server kernel: [4440489.176088] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:25:90:30:32:1c:00:11:bc:c2:10:00:08:00 SRC=78.176.98.149 DST=xx.xx.xx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=27578 DF PROTO=TCP SPT=21891 DPT=8889 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 8 14:01:14 server kernel: [4440516.934576] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:25:90:30:32:1c:00:11:bc:c2:10:00:08:00 SRC=192.3.194.138 DST=xx.xx.xx.xx LEN=220 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=UDP SPT=39736 DPT=123 LEN=200