Skip to content

💡 Feature: Split up regex rules & reconfigure directory structure. #34

New issue
New issue
Open
Open
💡 Feature: Split up regex rules & reconfigure directory structure.#34
Labels
Type › FeatureFeature request
@bctrainers

Description

@bctrainers
bctrainers
opened on Oct 19, 2025

Control Panel › Name

All

Category

💡 Other

Feature Description

Currently, all regular expression rules are located in a single file: ./src/ConfigServer/RegexMain.pm 1, with all custom rules existing as an include from /usr/local/csf/bin/regex.custom.pm 2

I would like to propose that RegexMain.pm to be restructured, and made into a new style as follows:

./src/
  `- ConfigServer/
     |- RegexMain.pm
     `- Rules/
        |- openssh.default.pm
        |- pop3d.default.pm
        |- imapd.default.pm
        |- smtp.default.pm
        |- ftpd.default.pm
        |- apache.default.pm
        |- nginx.default.pm
        |- modsec.default.pm
        |- named.default.pm
        |- cpanel.default.pm
        |- webmin.default.pm
        |- someotherservice.default.pm
        `- Custom/
           |- openssh.custom.pm
           |- blahblah.custom.pm
           `- moreblah.custom.pm

Within RegexMain.pm, rather each if being checked against if LF_configitem being set to 1 or 0, it would operate under the basis of a global enable/disable for that entire protocol/service type file within the ./Rules directory. For example, if LF_SSHD is set to 1, the check within RegexMain.pm would then include ./Rules/openssh.default.pm into the overall inclusion to parse against.

Additionally, for example, if LF_SSHD is set to 1, the file from ./Rules/openssh.default.pm would then auto-include a file from ./Custom. In the example of LF_SSHD, it would look similar to ./Rules/Custom/openssh.custom.pm. This would operate under the assumption that files within ./Custom may not actually exist. Which would likely necessitate the usage of the -e operator within a small if exists -> require clause.

And lastly, this may require a new section within csf.conf of variables for the custom rule filename declarations in correlation to service types. That section could look like the following:

LFD_CUSTOM_RULES_DIR = "/usr/local/csf/lib/ConfigServer/Rules/Custom/"
LFD_CUSTOM_SSH = "openssh"
LFD_CUSTOM_POP3D = "pop3d"
LFD_CUSTOM_APACHE = "apache"
LFD_CUSTOM_NGINX = "nginx"
LFD_CUSTOM_NAMED = "named"

Where it operates on the assumption of LFD_CUSTOM_RULES_DIR/LFD_CUSTOM_SSH.custom.pm which would translate to /usr/local/csf/lib/ConfigServer/Rules/Custom/openssh.custom.pm.

More or less, this idea is to achieve the following:

  1. Better organize the default rules that CSF is scanning logs against.
  2. Make it easier for system administrators manage custom rules.
  3. Opens up the capability for newer LF_types to be considered for the future (e.g., nginx rules that are unique to nginx (error 444)).
  4. Trim down some code segments.

Screenshots

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type › FeatureFeature request

    Projects

    ConfigServer Security & Firewall

    Status

    Queue

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions