hi Ray,
since %geoip is an action list variable, it can only be used in other
action lists (which are executed after a successful pattern match).
However, matching users not coming from particular countries should be
done with a pattern (or pattern with a context expression, as done
below).
I would split the rule you have into two rules:
type=Single
ptype=RegExp
pattern=(SEC_STARTUP|SEC_RESTART)
context=SEC_INTERNAL_EVENT
desc=Load GeoIP module
action=eval %geoip ( require Geo::IP; )
type=Single
ptype=RegExp
pattern=FTP login from ([\d.]+)
context=$1 -> ( sub { my %valid_countries = ("IN"); \
my $gi = Geo::IP->new(GEOIP_STANDARD); \
my $country = $gi->country_code_by_addr($_[0]); \
return 0 if exists $valid_countries{$country}; return 1; } )
desc=FTP login from unexpected country
action=write - %s
You can also combine the 'pattern' and 'context' fields of the second
rule into a single 'pattern' field with a PerlFunc pattern.
Note that I haven't tested these rules since I haven't set up the
GeoIP module on my laptop, but the rules should nevertheless convey
the basic idea how to tackle the problem.
kind regards,
risto
2011/5/4 Ray Van Dolson <rvandol...@esri.com>:
> I'm watching FTP logs and want to trigger an email alert when a user
> logs into a particular account from a country not in a pre-defined
> list. I'm hoping to use the GeoIP perl module for this.
>
> type=Single
> ptype=RegExp
> pattern=(SEC_STARTUP|SEC_RESTART)
> context=SEC_INTERNAL_EVENT
> desc=Compile GeoIP Routines
> action=eval %geoip ( sub { require Geo::IP; \
> my %valid_countries = ("IN"); \
> my $gi = Geo::IP->new(GEOIP_STANDARD); \
> my $country = $gi->country_code_by_addr($_[0]); \
> return 1 if exists $valid_countries{$country};} );
>
> (The above seems to load correctly)
>
> However, at this point I'm not clear how I should write my rule
> definition. Should I write a RegExp rule, match on the string I'm
> after (and extract the IP) then use a call action to call my function
> above? Or can I use the PerlFunc action?
>
> Thanks,
> Ray
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today. Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
