On Wed, Dec 01, 2010 at 11:31:19AM -0800, Ray Van Dolson wrote: > As an exercise to learn SEC, I'm trying to create a ruleset that will > report on clients sending more than X emails through our SMTP server in > Y amount of seconds. > > Basically I'm looking for the same "from" address, same mail server and > same client address (source IP) and if it occurs more than a certain > number of times in 30 seconds or so, I want to know about it. > > Easy enough to set this up, but I also want to see all the > corresponding log entries in the alert email. > > Based on this[1] thread, I've come up with: > > # Create our context on the original event trigger. > type=SingleWithThreshold > ptype=RegExp > > pattern=(esri3|vail)\ssendmail[^:]+.*from=([^,]+),\s.*relay=(\S+\s\[.*?\]).*$ > desc=Potential spam from $2 using $1 from relay $3 > window=30 > thresh=5 > action=create SPAM_$1_$2_$3 30 \ > (report SPAM_$1_$2_$3 /bin/mail -s "Test" rvandol...@esri.com); \ > add SPAM_$1_$2_$3 Spam attempt:; add SPAM_$1_$2_$3 $0 > > # Add subsequent events to the context. > type=Single > ptype=RegExp > > pattern=(esri3|vail)\ssendmail[^:]+.*from=([^,]+),\s.*relay=(\S+\s\[.*?\]).*$ > desc=Potential spam from $2 using $1 from relay $3 > context=SPAM_$1_$2_$3 > action=add SPAM_$1_$2_$3 "Additional event: $0"; set SPAM_$1_$2_$3 30 > > However, the email I receive includes only one event (which appears to > be the first event seen), not the minimum of five I'd expect.
Ready through the thread I referenced, I realized I probably didn't need the second rule-set and it may have been inadvertantly causing the problem by removing the "report" action (I'm not sure what version of SEC the behavior was adjusted in so this would no longer happen). As such -- I removed the second rule, but it still seems I'm only getting the first event in my email reports instead of all events within the threshhold. Also, I should note that I am using SEC 2.5.2 on RHEL5. > > Am I doing this wrong? > > Thanks, > Ray > > [1] > http://sourceforge.net/mailarchive/message.php?msg_id=c24352ca0910061634o4ce94b1ek2c405f42b4309dcc%40mail.gmail.com Thanks, Ray ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
