View Single Post
Old 13th January 2012, 01:58
erosbk erosbk is offline
Senior Member
Join Date: Mar 2011
Posts: 337
Thanks: 49
Thanked 36 Times in 30 Posts

I made a log file with your lines, I only detected first two lines. Next two: "script 'xxx' not found ..." never matches, because you have in the middle of the log file, the filenames specified in regex...

You have to modify the regex to the follow in order to catch all lines, but this could ban some IPs because this regex will not check for "not found" after "script"

[[]client <HOST>[]] (File does not exist|script).*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma| web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PM A2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin |webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wb b|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wb blite|directforum|board23|board2|board3|WBB|WBB2|h tml|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin |sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|ZenCart|cart|commerce|e-commerce|shop|stories|store|zc|dbadmin|typo3|datab ase|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads| xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest |appserver|roundcube|rc|mail|mail2|roundcubemail|r ms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl)
I don't know why it is not working for you... just paste all 4 log lines in a separated file and try my regex, it should detect four matches... if it works, try to only specify one logpath to your chain, and not 3. I will think about this a little more.


edit: sorry for my poor english, to tired to check it. If you don't understand my horrible explanation of the regex, please give me advise and I will do it a little better.
Reply With Quote