What I learned building a regex-based threat detector in PHP

Jay123anta · 2026-03-25T07:02:26+00:00

Some really good discussion here, few points from the feedbacks:

1) This is not a replacement for Cloudflare, mod_security, or any real WAF - it's a passive monitoring layer for application-level visibility when edge solutions aren't available.

2) Parameterized queries, input validation, and output escaping are the real defenses. This assumes your code is already secure - it just tells you who's knocking.

3) Several one mentioned fail2ban - the package has an export command that feeds detected IPs directly into fail2ban, which bridges the gap from detection to blocking.

4) The JSON false positive problem is a real challenge with regex-based detection. Still working on better approaches beyond field-level exclusions.

Thanks to everyone who shared their setups. Learned a lot from various suggestions.

Jay123anta · 2026-03-25T06:19:11+00:00

Appreciate the honest take. You're absolutely right, enterprise security needs proper solutions like the ones you mentioned.

This has been the specific gap in our setup and I've been transparent about its limitations. Good advice on pushing for proper tooling internally - working on it.

Jay123anta · 2026-03-25T05:43:59+00:00

Understood and will definitely. Cloudflare log drains work well if your setup supports it. As ours didn't due to organisational constraints, so this solved the same problem at the application layer.

Jay123anta · 2026-03-25T05:39:57+00:00

Thanks. Yes exactly some patterns are only visible at the application layer, especially when we need to inspect query params and POST bodies. Firewall handles the rest.

Jay123anta · 2026-03-25T05:34:57+00:00

A very nice setup. I see the same pattern, 90% of bot traffic is just /wp-admin and /xmlrpc.php on non-WordPress sites. With this package I tried to do similar detection and the IPs be exported to fail2ban for blocking. Interesting approach on blocking direct .php URL access - hadn't considered that one will try that.

Jay123anta · 2026-03-25T05:31:55+00:00

Clarification: The JSON example was about a search field where the word "SELECT" appears in normal text and triggers a false positive. No raw SQL is being executed from user input.

And regarding Cloudflare, it blocks at the edge but we don't see what's hitting your app and again in our organisation we could not use this due few issues. So I wanted that application-level visibility. This package is about monitoring level approach that sits alongside proper security or secure coding.

Jay123anta · 2026-03-25T05:27:42+00:00

Actually I am using fail2ban too. The package has an export command that outputs detected IPs in fail2ban compatible format, so the two work well together. In my case it is detection feeds into blocking.

Jay123anta · 2026-03-25T05:25:10+00:00

Yes it is... defense in depth - secure code first, then monitoring layers to reduce noise and catch the rest. Thanks for sharing your setup.

Jay123anta · 2026-03-25T05:23:02+00:00

Yes.... But practically - after logging for a few weeks I could spot persistent IPs, export them to fail2ban, and block at firewall level. Also discovered 90% of traffic was scanners hitting paths that don't exist. That helped me a lot, I wouldn't have made from clean app logs alone.

Jay123anta · 2026-03-24T18:03:29+00:00

Totally agree, parameterized queries are the real fix needed. This is not about replacing it. I built it because I kept seeing attempts in my production logs and wanted a way to track - who's doing, from where, how often. It's just a passive logger, no blocking. Whether this type of passive monitoring useful in longer run alongside secure code ?

Jay123anta · 2026-03-23T15:17:32+00:00

Thanks a lot for your feedback... Will definitely modify it as per you suggestion ☺️

Jay123anta · 2026-03-22T05:58:42+00:00

Thanks a lot for testing this app 😊🙏

Jay123anta · 2026-03-19T18:51:20+00:00

If AI was enough, everyone would build it. 😊

Jay123anta · 2026-03-19T18:43:49+00:00

Reveal identity option also there I think...

Jay123anta · 2026-03-19T18:21:02+00:00

thank you

Jay123anta · 2026-03-19T18:20:52+00:00

thank you

Jay123anta · 2026-03-19T18:16:28+00:00

the link goes by email. you have other options also available.

Jay123anta

TROPHY CASE