Custom REGEX rules for CSF.

Junior Member
Posts: 35
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa

Re: Custom REGEX rules for CSF.

Post by sahostking »

Today we had two servers blacklisted due to spam originating from contact is pages on Joomla websites that are not using captchas. Now informing customers to do so sometimes takes time and they done even do it. So we decided to look into a way that will stop it from happening all servers without the need of waiting for hundreds of our customers with outdated and no captchas on joomla sites to do so and fix the issue.

We came up with the below regex which seemed to stop them.

Code: Select all

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*\(?option=com_contact&view=contact&id=/)) {
   return ("JOOMLACONTACT2",$1,"JCONTACT2","3","80,443","86400");
Hope it helps someone with similar problem.
Junior Member
Posts: 1
Joined: 24 Mar 2021, 06:53

Re: Custom REGEX rules for CSF.

Post by promoauto »

this post is great and i got some great rules from here.
I am trying to set-up a new rule for Bind on Centos because i have a lot o queries:
Mar 23 12:18:10 mail named[12986]: client query (cache) './ANY/IN' denied,
so my regex look's like this:
^.* named\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\) client (\S*) \(query (cache) './ANY/IN'\): denied
and the rule:
if (($globlogs{CUSTOM5_LOG}{$lgfile}) and ($line =^.* named\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\) client (\S*) \(query (cache) './ANY/IN'\): denied/)) {
return ("Blocare named",$2,"Named scan","2","53","3600");
i am missing something here because it does not work. Any help is more than appreciated.
Junior Member
Posts: 1461
Joined: 12 Dec 2006, 14:56

Re: Custom REGEX rules for CSF.

Post by Sergio »

I think you have missed the "/" at the start of your rule,

Try to add the "/" after the equal sign, like this:
($line = /^.* named\[\d+\]:? \S+....

Post Reply