As an exercise to learn SEC, I'm trying to create a ruleset that will
report on clients sending more than X emails through our SMTP server in
Y amount of seconds.
Basically I'm looking for the same "from" address, same mail server and
same client address (source IP) and if it occurs more than a certain
number of times in 30 seconds or so, I want to know about it.
Easy enough to set this up, but I also want to see all the
corresponding log entries in the alert email.
Based on this[1] thread, I've come up with:
# Create our context on the original event trigger.
type=SingleWithThreshold
ptype=RegExp
pattern=(esri3|vail)\ssendmail[^:]+.*from=([^,]+),\s.*relay=(\S+\s\[.*?\]).*$
desc=Potential spam from $2 using $1 from relay $3
window=30
thresh=5
action=create SPAM_$1_$2_$3 30 \
(report SPAM_$1_$2_$3 /bin/mail -s "Test" rvandol...@esri.com); \
add SPAM_$1_$2_$3 Spam attempt:; add SPAM_$1_$2_$3 $0
# Add subsequent events to the context.
type=Single
ptype=RegExp
pattern=(esri3|vail)\ssendmail[^:]+.*from=([^,]+),\s.*relay=(\S+\s\[.*?\]).*$
desc=Potential spam from $2 using $1 from relay $3
context=SPAM_$1_$2_$3
action=add SPAM_$1_$2_$3 "Additional event: $0"; set SPAM_$1_$2_$3 30
However, the email I receive includes only one event (which appears to
be the first event seen), not the minimum of five I'd expect.
Am I doing this wrong?
Thanks,
Ray
[1]
http://sourceforge.net/mailarchive/message.php?msg_id=c24352ca0910061634o4ce94b1ek2c405f42b4309dcc%40mail.gmail.com
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
