Here's an odd perl question: can you reference $1 and its siblings within
the regex itself? such as:
/^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) rdns=\S*(0*($1|$2|$3|$4)\S){2,4}\S*
[^\]]* auth= /
You can do it, but it slows down the whole regex system as soon as you have
a capturing regex. Or so I'm told by the Perl regex docs. Use backslashes,
not dollar signs.
/^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) rdns=\S*(0*(\1|\2|\3|\4)\S){2,4}\S*
[^\]]* auth= /
As a side note, while I'm not completely sure what you are trying to
accomplish, it seems to me that if you just set your trust paths correctly
and enabled some of the net rules that 99% of this is already caught with
existing rules. You might want to tweak some scores or add some metas. But
rebuilding the entire logic to determine if the message came from a forged
host seems like a strange concept, when SA already does that.
Loren
