Custom REGEX rules for CSF.

sahostking
Junior Member
Posts: 35
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa
Contact:

Re: Custom REGEX rules for CSF.

Post by sahostking »

Today we had two servers blacklisted due to spam originating from contact is pages on Joomla websites that are not using captchas. Now informing customers to do so sometimes takes time and they done even do it. So we decided to look into a way that will stop it from happening all servers without the need of waiting for hundreds of our customers with outdated and no captchas on joomla sites to do so and fix the issue.

We came up with the below regex which seemed to stop them.

Code: Select all

# JOOMLA CONTACT PROTECTION2
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*\(?option=com_contact&view=contact&id=/)) {
   return ("JOOMLACONTACT2",$1,"JCONTACT2","3","80,443","86400");
}
Hope it helps someone with similar problem.
promoauto
Junior Member
Posts: 1
Joined: 24 Mar 2021, 06:53

Re: Custom REGEX rules for CSF.

Post by promoauto »

Hello,
this post is great and i got some great rules from here.
I am trying to set-up a new rule for Bind on Centos because i have a lot o queries:
Mar 23 12:18:10 mail named[12986]: client 54.39.84.132#10685: query (cache) './ANY/IN' denied,
so my regex look's like this:
^.* named\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\) client (\S*) \(query (cache) './ANY/IN'\): denied
and the rule:
if (($globlogs{CUSTOM5_LOG}{$lgfile}) and ($line =^.* named\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\) client (\S*) \(query (cache) './ANY/IN'\): denied/)) {
return ("Blocare named",$2,"Named scan","2","53","3600");
}
i am missing something here because it does not work. Any help is more than appreciated.
Sergio
Junior Member
Posts: 1461
Joined: 12 Dec 2006, 14:56

Re: Custom REGEX rules for CSF.

Post by Sergio »

@promoauto
I think you have missed the "/" at the start of your rule,

Try to add the "/" after the equal sign, like this:
($line = /^.* named\[\d+\]:? \S+....

Sergio
Post Reply