help with perl syntax in csf.fignore
Hi all
I keep getting the "Suspicious process running under user" email from CSF.
I know that I can modify the pignore (ignore process) file in CSF, but for this particular issue, it is relevant only to a specific file - a log file that is taking too long to upload to external backup repository (Dropbox). The reason it's taking too long is a separate issue (that I am working to solve) and that will ultimately stop the emails.....
However, meanwhile, I would like some help on writing the correct Perl syntax, that I can add to the file ignore (csf.fignore) in CSF so that I no longer get the Suspicious process emails, where the log file is referenced.
The full path of the log file is as follows;
/home/userxyz/public_html/wp-content/infinitewp/backups/log.1234567abcdef.txt
The prefix and suffix changes due to user and log file name change - so I need some wildcards to ignore the first and last part of the string will be ignored e.g.
*/infinitewp/backups/log.*.txt
Here is what I have tried in the fignore file, but it is not working (I am still getting the emails)
*\/wp-content\/infinitewp\/backups\/log.*\.txt
I created this using the Regex Tester and Debugger Online - Javascript, PCRE, PHP reg ex debugger - where it seemed to be valid, but not working with CSF.
Thanks for any help!
-
I think the reason your regex is not working is because you are trying to block a data file and not a process. Try blocking the specific process that CSF reports (this will probably be a PHP file somewhere in your wp fileset) that is responsible for uploading the file to your Dropbox 0 -
Thanks for your help, however as mentioned, I don't want to block the process as that has wide reaching ramifications. For example, the process concerned is listed as either; exe: /opt/cpanel/ea-php56/root/usr/bin/php-cgi or exe: /opt/cpanel/ea-php71/root/usr/bin/php-cgi My understanding is the fignore would allow me to target a specific data file, rather than a wider process. 0 -
csf.fignore is a list of files that lfd directory watching will ignore. (eg directories and/or files being watched for changes) If your alert is due to a process Suspicious process running under user"
the presence of the filename in the fignore will not have any impact on the process alert If you have a specific PHP file that is eg being called by a cron, try adding that to the csf.pignore file (full path to file) or add the username the PHP is running under.0 -
Thanks for the great explanation and assistance @rpvw @WorkinOnIt please let us know if you need any further assistance with this. 0
Please sign in to leave a comment.
Comments
4 comments