Hello SEC users,
How can I get a list of all contexts, that have been created? Here are two
simple rules to explain my problem:
--------------------
# add an ssh failure to the context SRC_<IP address>
type=Single
continue=takenext
ptype=RegExp
desc=bad ssh from $2
context=!SRC_$2
pattern=sshd\[\d+\]: Invalid user (\S+) from (\S+)
action=create SRC_$2 0
# create a new context if, if it does not exist
type=Single
continue=takenext
ptype=RegExp
desc=bad ssh from $2
context=SRC_$2
pattern=sshd\[\d+\]: Invalid user (\S+) from (\S+)
action=add SRC_$2 $2
--------------------
OK ... Let's feed SEC with some messages:
sshd[28476]: Invalid user aaa from 192.168.2.1
sshd[28476]: Invalid user bbb from 192.168.2.1
sshd[28476]: Invalid user ccc from 192.168.2.1
sshd[28476]: Invalid user ddd from 192.168.2.1
sshd[28476]: Invalid user xxx from 10.0.0.1
sshd[28476]: Invalid user yyy from 10.0.0.1
sshd[28476]: Invalid user zzz from 10.0.0.1
Great ... we have two new contexts:
SRC_192.168.2.1 and SRC_10.0.0.1
Now I want to write an SSH report:
type=Calendar
time=0 6 * * *
desc=SSH Report
action report <all SRC_ contexts> /usr/bin/uniq -c
to get this result:
----
4 192.168.2.1
3 10.0.0.1
----
so what I need is something like "SRC_*" ... But
I have no idea, how to do this :(
Thanks in advance.
Ralf
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
