Custom.regex.pm for CSF with mod security

Question

I'm trying to create custom rule that block 403 access triggered by mod security, my modsec audit log look like this:

2022-06-14 02:15:19.241467 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-72#somedomain.com] [Module:mod_security]Intervention status code triggered: 403
2022-06-14 02:15:19.241477 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-72#somedomain.com] [Module:mod_security]Log Message: [client 123.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "somedomain.com"] [uri "/"] [unique_id "1655172919"] [ref ""]
2022-06-14 02:15:19.420898 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-76#somedomain.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\.\.sysdatabases|ysql\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\b (109 characters omitted)' against variable `ARGS:cmd' (Value: `select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where tab (20 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "79"] [id "942140"] [rev ""] [msg "SQL Injection Attack: Common DB Names Detected"] [data "Matched Data: information_schema found within ARGS:cmd: select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "somedomain.com"] [uri "/"] [unique_id "1655172919"] [ref "o65,18v10,120t:urlDecodeUni"]
2022-06-14 02:15:19.421111 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-76#somedomain.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:[\"'`](?:;?\s*?(?:having|select|union)\b\s*?[^\s]|\s*?!\s*?[\"'`\w])|(?:c(?:onnection_id|urrent_user)|database)\s*?\([^\)]*?|u(?:nion(?:[\w(\s]*?select| select @)|ser\s*?\([^\)]*?)|s(?:chema\s* (165 characters omitted)' against variable `ARGS:cmd' (Value: `select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where tab (20 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "164"] [id "942190"] [rev ""] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union select found within ARGS:cmd: select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "somedomain.com"] [uri "/"] [unique_id "1655172919"] [ref "o18,12v10,120t:urlDecodeUni"]
2022-06-14 02:15:19.421312 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-76#somedomain.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)union.*?select.*?from' against variable `ARGS:cmd' (Value: `select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where tab (20 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "277"] [id "942270"] [rev ""] [msg "Looking for basic sql injection. Common attack string for mysql, oracle and others"] [data "Matched Data: union select 1,group_concat(table_name),3 from found within ARGS:cmd: select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='secur (4 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "somedomain.com"] [uri "/"] [unique_id "1655172919"] [ref "o18,46v10,120t:urlDecodeUni"]
2022-06-14 02:15:19.421705 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-76#somedomain.com] [Module:mod_security]Intervention status code triggered: 403
2022-06-14 02:15:19.421716 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-76#somedomain.com] [Module:mod_security]Log Message: [client 123.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "somedomain.com"] [uri "/"] [unique_id "1655172919"] [ref ""]
2022-06-14 02:15:19.568918 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-84#somedomain.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:\b(?:(?:m(?:s(?:ys(?:ac(?:cess(?:objects|storage|xml)|es)|(?:relationship|object|querie)s|modules2?)|db)|aster\.\.sysdatabases|ysql\.db)|pg_(?:catalog|toast)|information_schema|northwind|tempdb)\b (109 characters omitted)' against variable `ARGS:cmd' (Value: `select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where tab (20 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "79"] [id "942140"] [rev ""] [msg "SQL Injection Attack: Common DB Names Detected"] [data "Matched Data: information_schema found within ARGS:cmd: select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "somedomain.com"] [uri "/"] [unique_id "1655172919"] [ref "o65,18v10,120t:urlDecodeUni"]
2022-06-14 02:15:19.569190 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-84#somedomain.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i:(?:[\"'`](?:;?\s*?(?:having|select|union)\b\s*?[^\s]|\s*?!\s*?[\"'`\w])|(?:c(?:onnection_id|urrent_user)|database)\s*?\([^\)]*?|u(?:nion(?:[\w(\s]*?select| select @)|ser\s*?\([^\)]*?)|s(?:chema\s* (165 characters omitted)' against variable `ARGS:cmd' (Value: `select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where tab (20 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "164"] [id "942190"] [rev ""] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union select found within ARGS:cmd: select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "somedomain.com"] [uri "/"] [unique_id "1655172919"] [ref "o18,12v10,120t:urlDecodeUni"]
2022-06-14 02:15:19.569595 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-84#somedomain.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)union.*?select.*?from' against variable `ARGS:cmd' (Value: `select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where tab (20 characters omitted)' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "277"] [id "942270"] [rev ""] [msg "Looking for basic sql injection. Common attack string for mysql, oracle and others"] [data "Matched Data: union select 1,group_concat(table_name),3 from found within ARGS:cmd: select * from xxx union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='secur (4 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "somedomain.com"] [uri "/"] [unique_id "1655172919"] [ref "o18,46v10,120t:urlDecodeUni"]
2022-06-14 02:15:19.569902 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-84#somedomain.com] [Module:mod_security]Intervention status code triggered: 403
2022-06-14 02:15:19.569928 [INFO] [1554] [123.123.123.123:597-Q:189D4DD7523532AE-84#somedomain.com] [Module:mod_security]Log Message: [client 123.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "somedomain.com"] [uri "/"] [unique_id "1655172919"] [ref ""]

i try following code at Custom.regex.pm:

if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ / \[client (\S+)\] ModSecurity: Access denied/)) {
        my $ip = $1;
        $ip =~ s/^::ffff://;
        if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
        my $ruleid = "unknown";
        if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
        if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","1","80,443","1")} else {return}
}

i checked the regex as well from here: https://regex101.com/r/NlcB6L/1 it seem correct. But somehow, it did not block the ip. what could be goes wrong?