Add failed pop3 login

tmiland · tmiland · commit 7a75f78a53aa · 2022-03-24T10:25:25.000+01:00
Added failed pop3 login not detected in default RegexMain.pm.
diff --git a/regex.custom.pm b/regex.custom.pm
@@ -274,6 +274,15 @@ if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~
   if (&checkip($ip)) {return ("$3 ","$ip|$acc","Spoofing")} else {return}
 }
 
+#dovecot
+	if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot: pop3-login: Disconnected (\s*\(no auth attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )rip=(\S+),/)) {
+    $ip = $6;
+		$acc = $4;
+		$ip =~ s/^::ffff://;
+		$acc =~ s/^<|>$//g;
+		if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
+	}
+
 # If the matches in this file are not syntactically correct for perl then lfd
 # will fail with an error. You are responsible for the security of any regex
 # expressions you use. Remember that log file spoofing can exploit poorly
