Help with custom regex rules

Sergio · Post by **Sergio** » 11 Sep 2015, 14:04

Sorry for the delay, I have been busy setting up my new server.

Lehels, your regex rule is no good, the "echo" will be triggered any time and is not a good indicator that your rule "is working", as it is not.

As I said before, you need to escape all the "(" and ")" and only left one pair not escaped that the regex rule will call $1.

Code: Select all

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?(\S+) authenticator failed for \S+ (.*)?\[(\S+)\](:\S*:?)? 535 Incorrect authentication data (\(set_id=(\S+)\))?/)) {
      `echo "IS MATCHED" > /tmp/test`;
      return ("Failed SMTP authentication",$1,"dovecotplain","5","25","1");
}

Look at your code and tell me, How many not escaped pairs "()" are?
Which one contains the IP that you want to block?
I recommend you to delete the "echo" line as it is not a way to tell if the rule is working or not.

lehels · Post by **lehels** » 14 Sep 2015, 10:47

Indeed, worked great @Sergio - thanks much!
- the following two worked out for me:

Code: Select all

/^\S+\s+\d+\S+ \[\d+\] H\=\(ylmf\-pc\) \[(\S+)\](:\S*:?) rejected EHLO or HELO ylmf\-pc\: HELO\/EHLO \- blacklisted HELO/

/^\S+\s+\d+\S+ \[\d+\] dovecot\_plain authenticator failed for \(.*\) \[(\S+)\](:\S*:?)? 535 Incorrect authentication data \(set\_id\=(\S+)\)/

Sergio · Post by **Sergio** » 14 Sep 2015, 16:19

Great!! glad it worked.

Sergio

ConfigServer Community Forum

Help with custom regex rules

Re: Help with custom regex rules

Re: Help with custom regex rules

Re: Help with custom regex rules