ConfigServer Community Forum

Posted: **22 Apr 2025, 13:01**

We are trying to block access to a web server when there is no user agent and not referrer. Example log lines look like this;

Code: Select all

40.##.##.## - - [20/Apr/2025:08:39:37 -0500] "GET /wp-admin/css/colors/Admin-Author.php HTTP/1.1" 500 17551 "-" "-"

The code we put in regex.custom.pm is like this:

Code: Select all

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ / "-" "-"$/)) {
    return ("No User Agent",$1,"UserAgent","20","80,443","3600");
    }

CUSTOM2_LOG is set properly and works for other regex's we have in regex.custom.pm

Any thoughts/suggestions as to why it's not working properly would be greatly appreciated.

Posted: **24 Apr 2025, 22:17**

It is not working because seems that your regex is not well constructed.

Here are two examples of what the regex could be, based on the log line that you wrote:

LOG LINE:

40.##.##.## - - [20/Apr/2025:08:39:37 -0500] "GET /wp-admin/css/colors/Admin-Author.php HTTP/1.1" 500 17551 "-" "-"

REGEX:

Code: Select all

/(\S+) \- \- \[\d+\/\D+\/\d+:\d+:\d+:\d+ \-\d+\] "GET \/wp-admin\/css\/colors\/Admin-Author\.php.*"\-" "\-"/i

Another REGEX:

Code: Select all

/(\S+) .* "GET \/wp-admin\/css\/colors\/Admin-Author\.php.*"\-" "\-"/i

Sergio

Posted: **24 Apr 2025, 22:43**

Hello Sergio,

I do have to agree that my per regex experience is not great ;-)

Yours are a bit too specific. We don't really care about the page or path just the "-" "-" at the end. Would something like:

Code: Select all

/(\S+) .*"\-" "\-"/

Work?

Posted: **25 Apr 2025, 04:53**

Yes,
it could work.

ConfigServer Community Forum

Regex not working in regex.custom.pm

Regex not working in regex.custom.pm

Re: Regex not working in regex.custom.pm

Re: Regex not working in regex.custom.pm

Re: Regex not working in regex.custom.pm