I am curious about the consistency of pattern matching in the stock decoder/rules for sendmail included in v1.4. When I look at rule 3104 the alerts sometimes provide an IP address and at other times do not (Decoder: sendmail-reject; rule family tree: 3100:3101:3104, no overwriting). Here are two very similar records. The first does not provide the srcip in the alert, the second does.
Dec 1 14:08:19 mxgf2 sm-mta-in[46709]: lB1J7kZh046709: Milter: from=<[EMAIL PROTECTED]>, reject=550 5.7.1 Blocked, look at http://cbl.abuseat.org/lookup.cgi?ip=208.10.57.71 Dec 1 14:25:28 mxgf2 sm-mta-in[47563]: lB1JOr2U047563: Milter: from=<[EMAIL PROTECTED]>, reject=550 5.7.1 Blocked, look at http://cbl.abuseat.org/lookup.cgi?ip=58.136.60.79 Other than the length of the email addresses these look equivilant to me. Here are the corresponding entries in the alerts.log: -- logs/alerts/alerts.log-Src IP: (none) logs/alerts/alerts.log-User: (none) logs/alerts/alerts.log:Dec 1 14:08:19 mxgf2 sm-mta-in[46709]: lB1J7kZh046709: Milter: from=<[EMAIL PROTECTED]>, reject=550 5.7.1 Blocked, look at http://cbl.abuseat.org/lookup.cgi?ip=208.10.57.71 -- logs/alerts/alerts.log-Src IP: 58.136.60.79 logs/alerts/alerts.log-User: (none) logs/alerts/alerts.log:Dec 1 14:25:28 mxgf2 sm-mta-in[47563]: lB1JOr2U047563: Milter: from=<[EMAIL PROTECTED]>, reject=550 5.7.1 Blocked, look at http://cbl.abuseat.org/lookup.cgi?ip=58.136.60.79 -- 3 alerts all included the srcip (58.136.60.79); there was only one 208.10.57.71 that missed the srcip, however, every IP I checked (about two dozen) that had multiple records was consistent in tagging the srcip or not tagging the srcip. Can you tell what's happening?
