custom rules doesn't work.
Posted: 25 Jun 2016, 11:09
hello
regex.custom.pm has:
csf.conf has CUSTOM1_LOG=/usr/local/apache/logs/error_log
and the log file has this 2 entries:
I restarted lfd after changes.
regex.custom.pm has:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /ModSecurity.*Warning. Operator GT matched 3 at IP/)) {
return ("mod_security wp_login triggered by",$1,"wplogin","1","80,443","1");
}
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS/)) {
return ("mod_security wp_login triggered by",$1,"wplogin","3","80,443","1");
}
and the log file has this 2 entries:
[Sat Jun 25 12:58:51.220882 2016] [:error] [pid 203056:tid 140331022472960] [client 180.150.230.16] ModSecurity: Warni Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec/12_asl_brute.conf"] [line "61"] [id "377"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "CRCAL"] [tag "no_ar"] [hostname "hashvil.com"] [uri "/wp-login.php"] [unique_id "V25V2cBzH1wAAxkwthQAAAEV"]
it should have blocked the second quota on the third accourance and the first quota on the first accourance but it doesn't.[Sat Jun 25 12:58:51.209737 2016] [:error] [pid 231688:tid 140331085412096] [client 180.150.230.16] ModSecurity: Warni Operator GT matched 3 at IP:bf_counter. [file "/usr/local/apache/conf/modsec/wp_brute.conf"] [line "11"] [id "10013"]ostname "hashvil.co.il"] [uri "/wp-login.php"] [unique_id "V25V2cBzH1wAA4kI3QQAAAFP"]
I restarted lfd after changes.