I am trying to build an active response to add an IP number to a firewall table. Unfortunately the event Rtrigger is in one log line while the IP number is in another. The two lines are related by the message number.
Trigger ------- Nov 30 22:00:01 mxgf2 sm-mta-in[12057]: lB12xQNN012057: Milter: from=<[EMAIL PROTECTED]>, reject=550 5.7.1 Unwanted contents of the HELO command Address Source -------------- Nov 30 22:00:01 mxgf2 sm-mta-in[12057]: lB12xQNN012057: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=client-201.240.14.11.speedy.net.pe [201.240.14.11] (may be forged) I believe I will have to use some kind of a rule correlation but I haven't read anything that suggests that that I can match in one rule based on the content of another rule so it's all kind of hazy. Can I get a hint? Thank you.
