Help with custom regex rules

Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

Those lines will trigger the regex that I wrote:
# REGEX to block IPs that uses YLMF-PC, modified:
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+\[\S+\]\s+\S+_login authenticator failed for.*\(ylmf-pc\) \[(\S+)\]/)) {
return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
}
So, remove the other regex that you set in your cpanel and write this one only and see if it works for you.

Then you can check a new one.
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

Yes, that one worked thank you!

Can you suggest a modification for the other 3 below to fit the logging style of my server?

# REGEX to block bots that looks for wrong SETID. Below to block all the IPs that comes to the server checking for setids that don't exist

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=(a|aaaaaa|aamaro|aaron|abc1?2?3?|abel?|access|accounti?n?g?s?|acer?|b?e?s?admi?n?|administracion1|advent|advertising|agency|antigua|apple|asus|avahi|bank|ba?c?kupe?p?p?c?x?e?c?|bbuser|benq|biblioteca|bill|business|bux|carlos|charles|ciclobasico|clamav|clevo|clients?|comenta?|compaq|confirm|confixx|consult|contactu?s?|controller|copier|customer|cvsadmin|cvsroot|cyrus|daemon|data|david|dbadmin|demo|dell|dialer|director|dnscache|doctor|doel|download|drweb|edi|edition|edu|esalguero|estudioazurdia|everest|expe?o?rt|falcon|fax|finance|franciscos|ftp|ftpuser|fujitsu|games|gigabyte|gonzalo.mejia|guest|helpdesk|holding|home|hp|ibm|ice|iloveyou|imac|info|install|internet|iphone|jabber|jc|jefaturaventas|jeremy|jgarcia|job|john|jorge|jude|kattytoc|kim|laboratorio|ldap|lenovo|lsarmiento|lschoenstedt|manager|margarita|marketing|monkey|mpalma|municipal|multimedia|news|newsletter|nobody|office|pastores|pos|postmaster|princess|printer|PXF.info|reception|sales|samsung|scann?e?r?|security|shadow|shop|spam|student|sunshine|support|sys|tech|temp|test1?u?s?e?r?|toshiba|training|user1?s?|wzarate|xerox)\)/)) {
return ("smtp_auth attack",$1,"SecmasSETID","1","1");
}

# REGEX to block bounced spammers that search emails. Below will block IPs that generates 1 bounce when sending email to accounts that doesn't exist on the server and the From address is nill.

if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /\S+\s+\S+\s+H=\S+\s+\[(\S+)\]:\d+\s+F=\<\>\s+rejected RCPT \S+: No Such User Here/)) {
return ("Bounced messages",$1,"SecmasBOUNCE","1","1");
}

# REGEX to block IPs that searchs for admin emails.

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \S+ \[(\S+)\]:\d+: 535 Incorrect authentication data \(set_id=admin\@\S+\)/)) {
return ("smpt admin attack",$1,"SecmasADMIN","1","1");
}
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

Sorry, but I need log lines to check where the REGEX has to be modified.

But where I see it is different is that you are using the old "courier" instead of the new "dovecot", may be there is where you have to modify.

Try to change "\s+dovecot_login" by "\s+.*_login", or send a few log lines.
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

Here is a log line from exim+rejectlog with set_id in it:

2015-06-10 04:24:23 [28631] courier_login authenticator failed for lt57-196.hrz.tu-darmstadt.de (LT57-196) [130.83.57.196]:59107 I=[69.xxx.xxx.xxx]:587: 535 Incorrect authentication data (set_id=apple)

Here are two for "no such address here"

2015-06-08 13:01:12 [23217] H=woreport.com (emailsender.net) [72.76.104.212]:56024 I=[69.xxx.xxx.xxx]:25 F=<ordertracker@emailsender.net> rejected RCPT <d.recht-amor@appraisalexperts.com>: no such address here"
2015-06-08 15:41:17 [11920] H=(mail.onecentra.us) [69.12.73.224]:56378 I=[69.xxx.xxx.xxx]:25 F=<studentloanprograms-recht=appraisalexperts.com@onecentra.us> rejected RCPT <recht@appraisalexperts.com>: no such address here"
sahostking
Junior Member
Posts: 44
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa
Contact:

Re: Help with custom regex rules

Post by sahostking »

I need assistance on a regex to block this via CSF say after 5 failed attempts :

[Thu Jun 11 08:45:40.512566 2015] [:error] [pid 40857:tid 140173587228416] [client 168.63.216.42] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "37"] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [hostname "domainname"] [uri "/wp-login.php"] [unique_id "VXkulMXyRLQAAJ@ZNuMAAAJJ"]

Could someone please help?
sahostking
Junior Member
Posts: 44
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa
Contact:

Re: Help with custom regex rules

Post by sahostking »

I checked now and the regex is :

#mod_security v2 (audit_log)
if (($config{LF_MODSEC}) and ($lgfile eq $config{MODSEC_LOG}) and ($line =~ /^\[modsecurity\] \[client (\S+)\] (.*) Access denied with (code|connection)/)) {
$ip = $1; $acc = ""; $ip =~ s/^::ffff://;
if (&checkip($ip)) {return ("mod_security triggered by","$ip|$acc","mod_security")} else {return}
}

But still not blocking the previous rule even though it has "Access denied with code 401"?
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

firewallman wrote:Here is a log line from exim+rejectlog with set_id in it:

2015-06-10 04:24:23 [28631] courier_login authenticator failed for lt57-196.hrz.tu-darmstadt.de (LT57-196) [130.83.57.196]:59107 I=[69.xxx.xxx.xxx]:587: 535 Incorrect authentication data (set_id=apple)
As I said, you have to modify the regex for this to work, replace this:
/\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=

by this:
/\S+\s+\S+\s+.*_login authenticator failed for.*\(\[?\S+\]?\) \[(\S+)\]:\d+.*Incorrect authentication data \(set_id=
Here are two for "no such address here"

2015-06-08 13:01:12 [23217] H=woreport.com (emailsender.net) [72.76.104.212]:56024 I=[69.xxx.xxx.xxx]:25 F=<ordertracker@emailsender.net> rejected RCPT <d.recht-amor@appraisalexperts.com>: no such address here"
2015-06-08 15:41:17 [11920] H=(mail.onecentra.us) [69.12.73.224]:56378 I=[69.xxx.xxx.xxx]:25 F=<studentloanprograms-recht=appraisalexperts.com@onecentra.us> rejected RCPT <recht@appraisalexperts.com>: no such address here"
You have to replace this:
/\S+\s+\S+\s+H=\S+\s+\[(\S+)\]:\d+\s+F=\<\>\s+rejected RCPT \S+: No Such User Here/)

for this
/\S+\s+\S+\s+.*H=\S+\s+.*\[(\S+)\]:\d+\s+.*F=\<\S+\>\s+rejected RCPT \S+: No Such/)
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

sahostking wrote:I need assistance on a regex to block this via CSF say after 5 failed attempts :

[Thu Jun 11 08:45:40.512566 2015] [:error] [pid 40857:tid 140173587228416] [client 168.63.216.42] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "37"] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [hostname "domainname"] [uri "/wp-login.php"] [unique_id "VXkulMXyRLQAAJ@ZNuMAAAJJ"]

Could someone please help?
I have a payed service to create custom regex, if you want, please contact me via PM, thanks.
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

Thank you Sergio, very much!
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

Do the changes work?
Post Reply